<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0" xmlns:media="http://search.yahoo.com/mrss/"><channel><title><![CDATA[Cloudflare Blog]]></title><description><![CDATA[Cloudflare Blog]]></description><link>https://blog.cloudflare.com/</link><generator>Ghost 0.11</generator><lastBuildDate>Wed, 17 May 2017 05:22:39 GMT</lastBuildDate><atom:link href="https://blog.cloudflare.com/rss/" rel="self" type="application/rss+xml"/><ttl>60</ttl><item><title><![CDATA[Introducing Load Balancing & Intelligent Failover with Cloudflare]]></title><description><![CDATA[<p>Cloudflare's Enterprise customers have been using our <a href="https://www.cloudflare.com/load-balancing/">Load Balancing</a> service since March, and it has been helping them avoid website downtime caused by unreliable hosting providers, Internet outages, or servers. Today, we're bringing Load Balancing to all of our customers.</p>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/Freibordmarke.jpg" alt=""></p>

<p>Even the best caching can't escape the fundamental limitations on</p>]]></description><link>https://blog.cloudflare.com/introducing-load-balancing-intelligent-failover-with-cloudflare/</link><guid isPermaLink="false">b5630c18-7ae3-415d-920a-54218e038db9</guid><category><![CDATA[Load Balancing]]></category><category><![CDATA[DNS]]></category><category><![CDATA[Reliability]]></category><category><![CDATA[Performance]]></category><dc:creator><![CDATA[Matt Silverlock]]></dc:creator><pubDate>Sun, 14 May 2017 15:00:00 GMT</pubDate><content:encoded><![CDATA[<p>Cloudflare's Enterprise customers have been using our <a href="https://www.cloudflare.com/load-balancing/">Load Balancing</a> service since March, and it has been helping them avoid website downtime caused by unreliable hosting providers, Internet outages, or servers. Today, we're bringing Load Balancing to all of our customers.</p>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/Freibordmarke.jpg" alt=""></p>

<p>Even the best caching can't escape the fundamental limitations on performance created by the speed of light. Using Load Balancing, Cloudflare's customers can now route requests between multiple origins, allowing them to serve requests from the closest (and fastest) geographic location.</p>

<p>The Cloudflare Load Balancer automatically sends you notifications when things fail, and when they come back up again, so you can sleep well at night knowing we are keeping your website or API running.</p>

<hr>

<p>If a DDoS attack can bring down your DNS provider or load balancer, it doesn't matter whether your servers are healthy or not. Our load balancing service runs in Cloudflare's 110+ datacenters, and with experience dealing with some of the largest DDoS attacks, we can withstand traffic volumes that smaller providers, virtual machines or hardware appliances can't. This also allows us to help you avoid business-impacting downtime when major cloud compute providers have issues: when we identify a connectivity reaching your application on AWS, we can fail over to your backup infrastructure on Google, a different region, or on-premise servers, and keep your site up and your customers happy.</p>

<p>Further, when proxying traffic through Cloudflare, you immediately benefit from faster failover responsiveness. In building Load Balancing we took a careful look at the existing global load balancing solutions on the market, and found that many rely on DNS to reroute traffic. Cloudflare will work as a DNS load balancer for non-proxied traffic (gray clouded in your DNS control panel) but works as an active proxy with near instant failover for proxied traffic. This means you don’t have to wait for TTLs to expire for traffic to shift.</p>

<p>We know from experience that it's common for a DNS change to take at least 60 seconds to propagate, even when everything is configured perfectly. Sixty seconds can represent thousands of failed requests, frustrated customers and lost sales. Cloudflare’s Load Balancer can reroute proxied traffic almost instantly, giving you the benefits previously reserved for on-premise load balancers but in the cloud.</p>

<p>Even customers with a single origin can benefit from Cloudflare’s Load Balancer. The product includes active and passive monitoring that will now alert you if we have trouble reaching your origin. Cloudflare’s position actively monitoring our customers’ traffic means we can let you know much more quickly than other monitoring services when your site is experiencing a problem </p>

<p>Valérian Saliou, Chief Technology Officer at Crisp, is using Cloudflare to geographically route WebSocket traffic: "When we rolled out Cloudflare Load Balancing to route traffic across our atlas of websocket servers, we immediately got messages from customers in Asia and Oceania thanking us for the improvement." </p>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/lb-dashboard-minimal.png" alt=""></p>

<h3 id="howcanigetstartedwithloadbalancing">How Can I Get Started with Load Balancing?</h3>

<p>So where do you go from here? You can enable Load Balancing in the Traffic app of your Cloudflare dashboard. We've put together a tutorial on how to get started with failover &amp; health checks between multiple servers.</p>

<p>We want load balancing to be available to everyone. For that reason, Load Balancing starts at $5 per month, and includes 500,000 DNS queries each month (enough for the vast majority of sites).</p>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/lb-pool-creation.png" alt=""></p>

<p>Setting up a Load Balancer only takes a couple of minutes, and Load Balancers can easily be shared across multiple sites on Cloudflare, avoiding the need for repetitive configuration.</p>

<p>If you want to understand more about Load Balancing on Cloudflare, visit our <a href="https://www.cloudflare.com/load-balancing/">product</a> page or take a dive through our <a href="https://support.cloudflare.com/hc/en-us/articles/115000081911-Tutorial-How-to-Set-Up-Load-Balancing-Intelligent-Failover-on-Cloudflare">help articles</a>.</p>]]></content:encoded></item><item><title><![CDATA[Detroit and San Diego Data Centers expand Cloudflare network to 26 North American cities]]></title><description><![CDATA[<p><img src="https://blog.cloudflare.com/content/images/2017/05/DTW_SAN.png" alt="alt"></p>

<p>Cloudflare is excited to announce deployments in Detroit (Michigan) and San Diego (California), which are our 114th and 115th data centers respectively. They join <a href="https://blog.cloudflare.com/colombo/">Colombo, Sri Lanka</a> and <a href="https://blog.cloudflare.com/cape-town-south-africa/">Cape Town, South Africa</a> in the cohort of four new cities added just this week to our growing global network, which spans</p>]]></description><link>https://blog.cloudflare.com/detroit-san-diego/</link><guid isPermaLink="false">b4be9c26-15b2-4a1f-af2e-2c89fbf636c6</guid><category><![CDATA[California]]></category><category><![CDATA[Data Center]]></category><category><![CDATA[Network Map]]></category><category><![CDATA[San Diego]]></category><category><![CDATA[Detroit]]></category><category><![CDATA[Michigan]]></category><dc:creator><![CDATA[Nitin Rao]]></dc:creator><pubDate>Fri, 12 May 2017 21:29:32 GMT</pubDate><content:encoded><![CDATA[<p><img src="https://blog.cloudflare.com/content/images/2017/05/DTW_SAN.png" alt="alt"></p>

<p>Cloudflare is excited to announce deployments in Detroit (Michigan) and San Diego (California), which are our 114th and 115th data centers respectively. They join <a href="https://blog.cloudflare.com/colombo/">Colombo, Sri Lanka</a> and <a href="https://blog.cloudflare.com/cape-town-south-africa/">Cape Town, South Africa</a> in the cohort of four new cities added just this week to our growing global network, which spans 57 countries and counting. </p>

<p>For over 6 million Internet properties, we now serve customer traffic from across 26 North American cities, including 22 in the United States alone. We're not going to stop building our network until we're within milliseconds of every Internet user, and to that end, data centers are already in the works in eight additional North American cities (and many others around the world).</p>

<h1 id="connections">Connections</h1>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/passports.png" alt="alt">
<em> Source: <a href="http://www.bajainsider.com/">Baja Insider</a></em></p>

<p>Detroit and San Diego share something special, as they are immediately adjacent to international borders with Canada and Mexico respectively. Detroit has four border crossings to Windsor, Ontario, including the Ambassador Bridge, which was built in the Roaring Twenties, and accommodates over a quarter of all merchandise trade with Canada. </p>

<p>Founded in 1701, and best known for cars and <a href="https://www.motownmuseum.org/story/motown/">Motown</a>, Detroit eagerly awaits a 3,000 pound bronze RoboCop statue to watch over Delta City (track progress <a href="https://www.kickstarter.com/projects/imaginationstation/detroit-needs-a-statue-of-robocop/posts/479137">here</a>). An early member of our technical operations team and fan of <a href="http://www.npr.org/2011/05/27/136655438/get-familiar-with-detroit-techno-10-essential-songs">Detroit Techno</a> is especially excited that this month's <a href="http://movement.us/">Movement Electronic Music Festival</a> is a Cloudflare customer.</p>

<p>San Diego, the second largest city (by population) in California, is home to deep canyons and its world renowned San Diego Zoo. Later this month, skateboarders across San Diego will celebrate <a href="http://www.nbcsandiego.com/news/local/Tony-Hawk-Day-Proclaimed-in-City-of-San-Diego--261169891.html">Tony Hawk Day</a>.</p>

<h1 id="expandingtheedge">Expanding the edge</h1>

<p>Projects such as the non-profit Internet exchange <a href="http://www.detroitix.com/">DET-IX</a>, enable greater regional interconnection, bringing together hosts, ISPs, and "edge" networks (such as Cloudflare), to exchange traffic locally instead of further away in Chicago. As we turn up peering with additional networks in the coming weeks, we expect to serve a growing share of Internet users in Detroit and San Diego right from their city.</p>

<p>Stay tuned for more data centers. The world's bluest sky will soon welcome the Cloudflare orange cloud.</p>]]></content:encoded></item><item><title><![CDATA[Standing Up to a Dangerous New Breed of Patent Troll]]></title><description><![CDATA[<p>On March 20th, Cloudflare received our first patent infringement claim: <em>Blackbird Tech LLC v. Cloudflare, Inc.</em> Today we’re filing our Answer to that claim in a federal court in Delaware. We have very strong arguments we will present in the litigation, mostly because the patent asserted against us does</p>]]></description><link>https://blog.cloudflare.com/standing-up-to-a-dangerous-new-breed-of-patent-troll/</link><guid isPermaLink="false">f3da0d72-6510-4f2f-ab9b-b398075e5f69</guid><category><![CDATA[Legal]]></category><category><![CDATA[Community]]></category><dc:creator><![CDATA[Matthew Prince]]></dc:creator><pubDate>Thu, 11 May 2017 15:00:44 GMT</pubDate><content:encoded><![CDATA[<p>On March 20th, Cloudflare received our first patent infringement claim: <em>Blackbird Tech LLC v. Cloudflare, Inc.</em> Today we’re filing our Answer to that claim in a federal court in Delaware. We have very strong arguments we will present in the litigation, mostly because the patent asserted against us does not have anything to do with our technology.</p>

<ul>
<li><p>The infringement claim is not a close one. The <a href="https://www.google.com/patents/US6453335">asserted patent</a>, US 6453335 (‘335 patent) was filed in 1998, and describes a system for monitoring an existing data channel and inserting error pages when transmission rates fall below a certain level. Nothing from 1998—including the ’335 patent—comes close to describing our state-of-the-art product that is provisioned via DNS, speeds up internet content delivery, and protects against malicious attackers. Our technology is innovative and different, and Cloudflare’s technology has about 150 patents issued or in process.</p></li>
<li><p>We also expect to show that the patent itself is invalid. For example, if the ’335 patent is read broadly enough to cover our system (which shouldn’t happen), it would also cover any system where electronic communications are examined and redacted or modified. But this is not new. Filtering products performing similar functions were around long before the time of the ‘335 patent. Blackbird’s claims under the ‘335 patent are much, much broader than what is justified in light of the prior art.</p></li>
</ul>

<p>This claim is a nuisance for us. The lawsuit will take our time, distract us from our work, and it will cost us money to fight. Patent trolls like <a href="http://www.blackbird-tech.com/">Blackbird Technologies</a> (<a href="https://twitter.com/bbirdtech">@bbird_tech</a>) exist to create these headaches so companies will play along and give them money to go away. </p>

<p>There’s no social value here. There’s no support for a maligned inventor. There’s no competing business or product. There’s no validation of an incentive structure that supports innovation. This is a shakedown where a patent troll, Blackbird Technologies, creates as much nuisance as it can so its attorney-principals can try to grab some cash.</p>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/indominus-rex-aka-blackbird-technologies.jpg" alt="Indominus rex, Jurassic World">
<span style="font-size: 8px">Indominus rex, <i>Jurassic World</i></span></p>

<p>Worse still, Blackbird is a new, especially dangerous breed of patent troll. Like the dinosaur in the latest <i>Jurassic Park</i> movie, a synthetic combination of Tyrannosaurs and Velociraptor, Blackbird combines both a law firm and intellectual property rights holder into a single entity. In doing so, they remove legal fees from their cost structure and can bring lawsuits of potentially dubious merit without having to bear any meaningful cost. In other words, Blackbird’s new breed of entity is specifically designed to add leverage and amplify the already widely maligned problem of patent trolling.</p>

<p>Cloudflare does not intend to play along. As explained later in this blog post, we plan to (i) contest the patent lawsuit vigorously, (ii) fund an award for a crowdsourced search for prior art that can be used to invalidate Blackbird patents, and (iii) ask the relevant bar associations to investigate what we consider to be violations of the rules of professional conduct by Blackbird and its attorneys.</p>

<iframe src="https://pages.cloudflareapps.com/patent-troll-with-input/" scrolling="no" frameborder="no" height="188" style="width: 1px; min-width: 100%"></iframe>

<h3 id="partithepatenttrollproblemandblackbirdtech">Part I — The Patent Troll Problem and Blackbird Tech</h3>

<p>A troll is a creature that lives in a cave, under a bridge, or in the hills and serves no productive purpose—other than to be threatening, ugly, and malodorous. In modern parlance, the term is used for someone who merely seeks to annoy others to get a rise out of them, either in the comments section of an Internet page or by making nuisance legal claims. A patent troll is a company formed for only one purpose—to purchase patents and assert them broadly against real, productive companies that are actively engaged and making and selling products. The point isn’t whether their patents are infringed and/or invalid. A perverse incentive structure encourages trolls to bring lawsuits against numerous companies and demand nuisance settlements—settlements well below the millions of dollars it can take a company to protect themselves and defend a patent infringement case.</p>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/troll.jpg" alt="Freemont Troll">
<span style="font-size: 8px">"Freemont Troll" by Esther Lee (<a href="https://www.flickr.com/photos/47096398@N08/5521406802/in/photolist-9pUDT1-4fCCQ-mqEop-4Zpfbh-8vcqtZ-8iBqJ4-8p96QD-SMNCFQ-dpCsKX-dSBVA8-3YPDgW-arkhTT-ScJLs8-7MXfLR-RqZeX9-FD1BF-a3a62P-4fCoi-8p9pg2-hcFhRs-5Zu58r-8jjPD2-4Zk3dV-4fCCR-4VfFUW-9fBSq6-cTyhC-4Zk5JF-4ZpdJN-dhNy3p-fHq7nu-4fCCP-4fCog-4Zk5dM-4rRswj-4rMo38-gAc2o8-7VNQv9-bNM4Bp-aR4gxt-3ELUU-4Zk6cD-7GhCZy-4fCof-orgs1f-8AqjCu-N6q1G-6XfjPX-2f6La2-55sxqv">Flickr</a>)</span></p>

<p>Although the case against patent trolls is well known, it is worth reviewing. </p>

<p>Patent trolls serve no productive purpose. They don’t make products, conduct research and development, hire employees, or add value to society. This is why they are often called non-practicing entities (NPE). They merely take existing, and largely unexercised patents, and assert them widely against numerous successful companies to try and pry some money for themselves. Often, the trolls lie in wait until after those companies have made irreversible investments in their technology to maximize their leverage. They buy patents solely for the purpose of initiating litigation, and benefit from their non-practicing status to limit their costs in litigation discovery and to limit counterclaims of patent infringement that could be raised if they were actually engaged in productive activity. And increasingly in the world of software or tech patents, the trolls rely on the broadest possible interpretation of vague or generalized patents to sow as much uncertainty as possible. </p>

<p>The social and economic costs of patent trolls are staggering, no matter how you measure them. Estimates in recent years suggest that the number of cases brought by patent trolls have increased more than 500% over the past ten years. And about 70% of all patent infringement claims are filed by patent trolls, a share that has more than doubled in recent years. It is estimated that litigation initiated by patent trolls in U.S. courts cost companies as much as $30 billion in direct costs, a number that has increased more than four-fold over the last ten years. And those direct costs are only the tip of the iceberg, as losses in company value and foregone economic opportunity may be as many as five or ten times that amount.</p>

<iframe width="560" height="315" src="https://www.youtube.com/embed/3bxcc3SM_KA" frameborder="0" allowfullscreen></iframe>

<p><br><br><br>[See, generally, Chien, Colleen. “Startups and Patent Trolls.” Santa Clara University Legal Studies Research Paper No. 09-12 Working Paper Series, 2012. Bessen, James E. Michael J. Meurer. “The Direct Costs from NPE Disputes.” Boston University School of Law, Law and Economics Research Paper No. 12-34, June 28, 2012. RPX. 2015 Report: NPE Litigation, Patent Marketplace, and NPE Cost.]</p>

<h4 id="cloudflaressupportforthepatentsystem">Cloudflare’s Support for the Patent System</h4>

<p>Make no mistake, Cloudflare is a strong supporter of the patent system. The value and stability of our company is supported by the nearly 150 patents awarded or in process on our technology. We wouldn’t be able to exist, and wouldn’t be able to invest to bring our company to scale, if we didn’t have the security of a well-functioning patent system. </p>

<p>In a fair fight, we’d be able to defend ourselves by pushing back against a practicing entity with the technology set forth in our own patents. If the other entity was actually applying its patent to commercial products and felt hindered in the marketplace because of our operations, we might be able to raise countering arguments that a practicing entity was closer to infringing on our patents than we are to infringing theirs. It would help us to defend the lines around our use of own patented technology and demonstrate whether the infringement was actually happening. </p>

<p>But patent trolls get to live in a fictional world without a business or operations that can be compared or challenged. </p>

<p>And the value of the patent system isn’t one limited to recent developments or to the tech boom. It has supported the innovative spirit of the American people since America’s founding. </p>

<p>It has been <a href="http://www.myoutbox.net/pobere.htm">reported</a> that during the ransacking of Washington by British soldiers in the War of 1812, then Superintendent of Patents, William Thorton, put himself in front of a British cannon and declared, “Are you Englishmen or only Goths and Vandals? This is the Patent Office, a depository of the ingenuity of the American nation, in which the whole civilized world is interested. Would you destroy it? If so, fire away, and let the charge pass through my body.” Whether or not the result of Superintendent Thorton’s bold stance, the patent building was one of the few government buildings spared by the British army in that attack.</p>

<p>When he redecorated the <a href="http://www.cbsnews.com/news/obama-has-made-the-oval-office-his-own/">Oval Office</a> early in his administration, President Barack Obama’s addition of a bust of Martin Luther King, Jr. garnered the most attention. But he also brought in three mechanical devices from the National Museum of American History’s patent collection (models of the telegraph, paddle wheel, and gear-cutter) to reflect the importance of technology and the creative spirit. In that spirit, he later took aggressive action issuing five executive orders to challenge patent trolls (“History Will Remember Barack Obama as the Great Slayer of Patent Trolls,” <a href="https://www.wired.com/2014/03/obama-legacy-patent-trolls/">Wired</a>, 3/20/14).</p>

<p>We are fighting back against patent trolls not because we don’t like the patent system. To the contrary, it’s due to our deep appreciation and need for the patent system that the actions of patent trolls are so offensive to us. Rather than appreciating the economic and social value of an effective patent system, these trolls distort and manipulate the patent system and the court system merely to line their own pockets. Those actions call into question the legitimacy of both systems in a way that is unacceptable to Cloudflare.   </p>

<h4 id="blackbirdtechnologies">Blackbird Technologies</h4>

<p>Even though Blackbird Tech is a pure patent troll, which has no operations aside from using patents it purchased to bring litigation against legitimate companies, they have specifically designed their business to create a new breed which poses serious additional concern.</p>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/Wendy-Verlander-and-Chris-Freeman-of-Blackbird-Technologies-1.png" alt="Wendy Verlander and Chris Freeman, the Founders of the Blackbird Technologies Law Firm"></p>

<p>Blackbird was formed three years ago by two attorneys who left law firms where they had been engaged in patent defense work — Wendy Verlander (<a href="https://twitter.com/bbirdtech_CEO">@bbirdtech_CEO</a>; <a href="https://www.linkedin.com/in/wendy-verlander-9a27341/">LinkedIn</a>) at WilmerHale, and Chris Freeman (<a href="https://www.linkedin.com/in/chris-freeman-316ab3/">LinkedIn</a>) at Kirkland &amp; Ellis. Notably, both of those firms promote themselves as ready to protect companies from patent trolls. Kirkland <a href="https://www.kirkland.com/siteFiles/News/Law360%20(Practice%20Group%20of%20the%20Year_%20IP)%202015.pdf">trumpets</a> that its IP practice group scored a victory against the “original patent troll,” while WilmerHale has a <a href="https://www.wilmerhale.com/pages/publicationsandnewsdetail.aspx?NewsPubId=17179872084">Patent Troll Initiative</a> that aims to help businesses deal comprehensively with patent trolls. </p>

<p>Having gained valuable experience and training by working for clients who paid their firms handsomely to fight suits brought by patent trolls, Verlander and Freeman were well aware of the harm done to their clients by patent trolls. Yet, Verlander and Freeman decided to cast their lot with the other side and formed a patent troll for themselves. </p>

<p>Blackbird Technologies has filed 107 cases since September of 2014, making it one of the most prolific trolls in the United States. Its website links to a “News” item titled “4 Frequent Filers of IP Suits to Watch this Year” which highlights Blackbird as “a newer entrant on the list of top patent plaintiffs, coming in at fourth place with 48 suits last year in the District of Delaware spanning a wide range of technologies.” Some of the patents at issue include: <a href="https://www.google.com/patents/US6425349">Bicycle Pet Carrier</a>, <a href="https://www.google.com/patents/US7081036">Buttock Lift Support</a>, <a href="https://www.google.com/patents/US7867058">Sports Bra</a>, and <a href="https://www.google.com/patents/US6816085">Method for Managing a Parking Lot</a>. A complete list of Blackbird's patents is <a href="https://cloudflare.com/blackbirdpatents/">available here</a>. Although they have been very aggressive about filing such claims, they have still not taken a single case through trial. And only a couple of those cases made it to the claim construction phase, where the Court defines the meaning of the patents at issue. Instead, many of Blackbird’s cases have been resolved shortly after filing, suggesting that these cases were never about legal rights or claims but were instead about creating the impetus for a nuisance settlement in the face of significant litigation costs.  </p>

<p>In the Cloudflare case, Blackbird is asserting a 1998 patent filed by Oliver Kaufmann. Based on an <a href="https://assignment.uspto.gov/patent/index.html#/patent/search/resultAssignment?id=39923-226">assignment agreement</a> filed with the USPTO, Blackbird purchased the ‘335 patent from Mr. Kaufmann in October 2016 for $1 plus “other good and valuable consideration.” Because a mere five months later Blackbird used the ‘335 patent as the sole basis for lawsuits against Cloudflare and Fastly, we think the actual but undisclosed compensation between the parties is something considerably more than $1, and may very well involve a contingency arrangement for Mr. Kaufmann.</p>

<p>Mr. Kaufmann appears to be the head of a group of four small IT companies in Augsburg, Germany that share a website — <a href="http://www.exklusiv.de">www.exklusiv.de</a>. The companies provide services such as on premise networking and phone, ISP, database design and management, and 3D printing. If Mr. Kauffman ever tried to commercialize the ‘335 patent (in the U.S. or otherwise), we would expect to see some evidence of that on the website. We don’t. Of course, the patent troll system attempts to shield Mr. Kaufmann and his companies’ operations from the lawsuit by having Blackbird become the owner of the patent — even if Mr. Kaufmann maintains an interest in the litigation.</p>

<h3 id="partiicloudflaresresponse">Part II — Cloudflare’s Response</h3>

<p>Cloudflare’s mission has always been to help build a better Internet. So it won’t be surprising to frequent readers of this blog that Cloudflare isn’t interested in a short term and narrow resolution of our own interests. We’re not going to reach a settlement that would pay tens of thousands of dollars to Blackbird to avoid millions in legal fees. That would only allow patent trolls to keep playing their game and preying upon other innovative companies that share our interest in making the Internet work better, especially newer and more vulnerable companies. </p>

<p>We are pursuing a four-pronged approach to challenge Blackbird’s actions in this case.</p>

<h4 id="step1cloudflarewillfightthiscaseinthecourts">Step 1 — Cloudflare will fight this case in the courts</h4>

<p>Cloudflare will not settle this case, and doesn’t plan to settle any patent troll case, ever. </p>

<p>We will litigate this claim as vigorously and expeditiously as possible. Because it is clear to us after even minimal search that there is likely considerable evidence of prior art, we expect to file an Inter Parties Review of the ‘335 patent with the USPTO. If appropriate, we will seek sanctions and fee awards against Blackbird for bringing this case.  </p>

<h4 id="step2cloudflarewillfundacrowdsourcedefforttofindevidencetoinvalidateblackbirdspatentsallofthem">Step 2 — Cloudflare will fund a crowdsourced effort to find evidence to invalidate Blackbird’s patents… all of them</h4>

<p>In a <a href="https://blog.cloudflare.com/project-jengo/">separate blog post today</a>, Cloudflare is announcing that it will award up to $50,000 to support a search for prior art that can be used to invalidate Blackbird’s patents. Patent trolls like Blackbird have demonstrated that they can’t be trusted to act responsibly or take the public good into account when asserting patents against practicing companies.</p>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/crowd.jpg" alt="The Crowd">
<span style="font-size: 8px">Crowd by Hamaz Butt (<a href="https://www.flickr.com/photos/141735806@N08/34334054481/in/photolist-UiZ1dz-nP3Rob-5pCtii-6qFvbn-6qLJkL-cF9pBh-Wd54U-dBvZA8-bCDeQi-JSoWr-9SJLio-bpH9BC-nULmFB-4YHDDh-ndrQnx-hG6i5P-8v8Bmg-73XJtd-7Jknc2-beBtLK-5oaePC-9dYDDD-5cLuvP-6UyjZU-bSNnKp-beBrb2-hZF26c-8RFNTi-dgeVoF-81jhAU-BQjUZ-4cdz51-hDs4dL-b7R8LX-qbgBz8-c9hyWf-a3CCzr-nUCZwy-mwKFdB-8RLpiu-54dLFX-cxSgD9-ea36Gz-a6q16c-4JtEDh-w8xxR-ak1koZ-5TXvNe-9XNPnw-4NZuH6">Flickr</a>)</span></p>

<p>Patent trolls take advantage of a system they assume is tilted in their favor, where they can take vague technology patents issued years ago and apply them as broadly as imaginable to the latest technology. Patent trolls think they can sit back and pick off settlements from companies because their lawsuits are a nuisance and the costs of defending those suits are considerable.</p>

<p>Changing this dynamic and leveling the playing field is going to require an entirely new way of approaching these challenges. Fighting such strong, though perverse, economic incentives is going to require a groundswell. It calls for a broad and active group of innovative folks who are willing to join the cause of helping expose the weaknesses in the patents held by these patent trolls, most of which were issued so long ago and are so broad that they never should have been issued in the first place.</p>

<p>Exposing the weakness of these patents means finding prior art that demonstrates the patents were issued improperly and working to have the USPTO invalidate those patents before they can be weaponized against legitimate companies that are working to innovate, to provide a livelihood to their employees and their families, and to make good products. We aim to invalidate every one of Blackbird’s patents and need your help. <a href="https://www.cloudflare.com/priorartsearch/">Come join us in this effort!</a></p>

<p>Prior art is any evidence that a patented invention was already known at the time the patent application was filed. Prior art does not need to be a competing patent, it does not necessarily need to exist physically or be commercially available. It is enough that there is evidence that the innovation was publicly known at any point when or before the patent application was filed. Though certainly the more formal and specific the prior art, the better.</p>

<p>As described in more detail in the other blog post, Cloudflare will award up to $20,000 to be shared among the participants who provide us the most useful prior art that can be used in our invalidity challenge to the ‘335 patent in the pending litigation. We will use our outside patent counsel to evaluate the responses and divide the award based on relevance and usefulness. We will also accept information and arguments which invalidate Blackbird patents such as a showing of obviousness or material defects in the patent application.</p>

<p>In addition, we are <a href="https://www.cloudflare.com/priorartsearch/">seeking prior art</a> information on any of the <a href="https://www.cloudflare.com/blackbirdpatents/">37 other patents or patent applications owned by Blackbird</a>.</p>

<p>We have a pool of up to $30,000 that we will distribute to people who submit information on any Blackbird patent. Again, the money will be awarded based on relevance and usefulness of the prior art. We will publish all the information that we receive on these patents, so that others may benefit from the information and file challenges on Blackbird’s patents. And where justified, Cloudflare may institute patent office proceedings of any Blackbird patent when there is sufficient prior art to call into question its validity.</p>

<p>These opportunities remain open as long as Blackbird’s case against Cloudflare is still active. If interested, you should go over to the other blog post <a href="https://blog.cloudflare.com/project-jengo/">here</a>, join the cause and be one of a group of talented and motivated experts who will push back against lazy trolls who try to take advantage of innovators by exploiting bugs in the judicial system.</p>

<h4 id="step3cloudflarewillinvestigateblackbirdsoperationstodevelopfactsthatsupportourargumentsinthelitigationandexposehowpatenttrollsreallyoperate">Step 3 — Cloudflare will investigate Blackbird’s operations to develop facts that support our arguments in the litigation and expose how patent trolls really operate</h4>

<p>Because patent trolls do not have operations beyond their ownership and litigation of patents for inventions they did not create, it can often be difficult to litigate against them. In addition, because of the unique organization of Blackbird, which appears to actually be a law firm that brings lawsuits on its own behalf and without a real client, there are important facts about this dispute that are difficult or impossible for us to determine at present. </p>

<p>As a result, we expect to investigate and to use the discovery process in this case and to retain a group of private investigators to look into Blackbird’s operations and attorneys to determine what counterclaims and arguments may be available to us in defense of the case. At a minimum, Blackbird suggests that it is engaged in a new and even more ingenious way of operating as a patent troll with maximum leverage and minimal inefficiencies in their operation. At a time when the economic evidence and public sentiment against the work of patent trolls is strong, it is important to bring their operations to the light of day and understand exactly how they work.</p>

<h4 id="step4filecomplaintsagainstblackbirdattorneysbybarassociationdisciplinarycounselinmassachusettsandillinois">Step 4 — File complaints against Blackbird attorneys by bar association disciplinary counsel in Massachusetts and Illinois</h4>

<p>The practice of law is supposed to be different from business, with lawyers held to a higher ethical standard. In most states, it is illegal for those who have not been admitted to the bar to provide legal services. This often gives lawyers a privileged position when it comes to handling things like real estate transactions, tax matters, and estate planning that might also be handled by other professionals, and it gives them a near monopoly on access to and use of the court system. In exchange, the legal profession is strictly governed by a series of ethical rules and other rules of professional conduct to make sure the profession sufficiently self-regulates to maintain public confidence and therefore secure the advantages of its monopoly. That’s why admission of new lawyers to the bar is generally premised not only on proof of competence (the bar exam), but also an investigation of character and fitness, and an oath committing to the principles of the profession. Importantly, the rules support the notion that the practice of law is a profession and not a mere business endeavor, this distinction is seen as essential to distinguishing the legal profession and maintaining the monopoly. See, generally Richard L. Abel, American Lawyers (1989). </p>

<p>Specifically, the American Bar Association established its Model Rules of Professional Conduct in 1983, which have subsequently been adopted by bar associations in almost every state, including the two states where Blackbird has its offices, Massachusetts and Illinois. The rules set forth a series of responsibilities that each lawyer must undertake, including duties to the profession generally and duties of candor to the court, which may require actions that run counter to the attorney’s self-interest. </p>

<p>For example, attorneys have an affirmative obligation to disclose when they have knowledge of adverse controlling legal authority (a rule or controlling court opinion that invalidates their proposed outcome), even if such disclosure runs counter to the interests of the attorney’s client. This disclosure is required even if both opposing counsel and the court are otherwise unaware of that authority (Model Rule 3.3(a)(2)). So attorneys are not allowed to take advantage of the judicial system just because they have an opening to do so. </p>

<p>Most of the rules address the extensive obligations owed to a client, to make sure lawyers don’t leverage their monopoly position to take advantage of the client. Among other things, the special nature of the Attorney-Client relationship involves a number of controls on the business relationship between the two — the attorney is to strictly avoid a conflict of interest with her work for the client (Rules 1.6-1.10), and should avoid self-dealing or commingling of funds (Rules 1.8 and 1.15). </p>

<p>As made clear in this blog post, Blackbird’s founders made the decision to leave law firms that were engaged in the defense of clients who were faced with patent lawsuits, and formed a new law firm focused on bringing law suits as a patent troll. The only services promoted on its website (<a href="http://www.blackbird-tech.com/">http://www.blackbird-tech.com/</a>) are legal services; the website notes that Blackbird represents a “new model” which provides the benefits of “top law firm experience” offering clients the ability to “litigate at reduced costs.”</p>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/blackbird_value_prop.png" alt="Blackbird holding themselves out as a law firm"></p>

<p>Of 12 total employees listed on the Blackbird website, 7 are attorneys. The remaining 5 are very junior employees described as “analysts” (3 are current undergraduate students and 2 received Bachelor's degrees last May). As far as we can determine, Blackbird produces no products or services which it makes available to the public. Rather, it offers litigation services and is in the business of filing lawsuits. And its output in that regard is prolific, as it has filed a total of 107 lawsuits since September 2014.  </p>

<p>As final confirmation that Blackbird is a law firm marketing legal services, its own website includes a disclaimer about “<a href="http://www.blackbird-tech.com/attorney-advertising/">Attorney Advertising</a>,” which states explicitly “[p]lease note that this website may contain attorney advertising.” </p>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/blackbird_attorney_advertising.png" alt="Blackbird Technologies says they advertise as a law firm"></p>

<p>Blackbird’s “new model” seems to be only that its operations set out to distort the traditional Attorney-Client relationship. Blackbird’s website makes a direct pitch of its legal services to recruit clients with potential claims and then, instead of taking them on as a client, purchases their claims and provides additional consideration that likely gives the client an ongoing interest in the resulting litigation. In doing so, Blackbird is flouting its ethical obligations meant to protect clients and distorting the judicial process by obfuscating and limiting potential counterclaims against the real party in interest. </p>

<p>As a result, we think Blackbird may be engaged in several activities that violate the rules of professional responsibility in the jurisdictions where they have been admitted as members of the bar. So, Cloudflare is submitting today letters with the bar disciplinary committees in Massachusetts and Illinois asking them to look into the following practices of Blackbird Tech:</p>

<ol>
<li><p><strong>Blackbird may have acquired a proprietary interest in the subject matter of the litigation in violation of Rule 1.8(i)</strong> — Attorneys have a near monopoly of representing clients in the judicial system. Rule of Professional Conduct 1.8(i) explicitly prohibits an attorney from “acquir[ing] a proprietary interest in a cause of action or subject matter of litigation.” But that is exactly what Blackbird does. Blackbird’s website contains a pitch to recruit clients with potential legal claims under their patents, but then buys those claims and brings them on their own behalf. Wouldn’t that be a violation of Rule 1.8(i)? Doesn’t Blackbird’s attempt to pitch this as a “new model” of being a patent troll ignore the fact that the only non-law firm activity in which they are engaged (buying patents to bring lawsuits) is the exact thing prohibited by Rule 1.8(i)? They shouldn’t be able to use creative contractual or corporate structures to avoid its responsibility under the rules.</p></li>
<li><p><strong>Blackbird may be sharing fees or firm equity with non-lawyers in violation of Rule 5.4(a) or 5.4(d)</strong> — In order to preserve the integrity of the Attorney-Client relationship, Rule of Professional Conduct 5.4(a) prohibits attorneys from splitting legal fees in individual matters with non-lawyers, and Rule 5.4(d) prohibits providing an equity interest in a firm to non-lawyers. We think Blackbird may be violating both provisions. Although he no longer owns the patent and is not a party to the case, the assignment agreement’s terms (specifying payment of only $1) makes it possible that Mr. Kaufman has a contingency interest in the lawsuit. If that is the case, wouldn’t Blackbird be in violation of Rule 5.4(a)? Similarly, Blackbird has moved very quickly since its founding to file lawsuits against a great number of companies — 107 complaints since September 2014. So far, none of those cases have gone to trial. We intend to examine whether they have used financial support from non-lawyers to fund the very fast start to their operations in exchange for an impermissible equity interest, or have shared an equity interest with patent holders like Mr. Kaufmann, either of which would be in violation of Rule 5.4(d).</p></li>
</ol>

<h3 id="inclosing">In Closing</h3>

<p>We've always advised our customers not to pay threatened DDoS attackers' ransom requests but, instead, to mount a real defense. There are a lot of analogies here and we believe it's important to stand up for what is right and against this new breed of patent troll.</p>

<iframe src="https://pages.cloudflareapps.com/patent-troll-with-input/" scrolling="no" frameborder="no" height="188" style="width: 1px; min-width: 100%"></iframe>

<p>If you’ve read this far, then you must share Cloudflare’s passion on this issue. So join us! Write about and talk about these issues. Contact your political representatives and ask them to support all the legislative reform efforts that are out there. And most importantly, take some time and join our crowdsourced effort to identify prior art that will <a href="https://www.cloudflare.com/priorartsearch/">invalidate all of the Blackbird patents</a>.</p>

<p>Watch this space. We’re just getting started.</p>]]></content:encoded></item><item><title><![CDATA[Project Jengo: Cloudflare's Prior Art Search Bounty]]></title><description><![CDATA[<p><img src="https://blog.cloudflare.com/content/images/2017/05/jengo-fett-bounty-hunter.jpg" alt="Bounty Hunter Attacks">
<span style="font-size: 8px">Jengo Fett by Brickset (<a href="https://www.flickr.com/photos/brickset/20549808814/in/photolist-8r5hJF-cZ1HN1-bvJCBN-5DMr2V-iyUpnV-MjmoQ-5DRGUo-5DQAdp-im5qp-bfSN5n-9SWyQc-xiV9dw-xj42yx-yfWvsK-yfWur6-9L3zZU-ydBZmS-xYqVdv-7G1rC5-7zGCni-6YPMH-4E5drd-9SWyqZ-qCQRd-2d9PS3-GWkjSw-aQTCJF-3UoQUy-MP36q-6WBtyF-Rg2Caw-Rg2C2A-aHMSp6-qhUg6-HA7TVW-4GXQrx-h1NiQf-4DZX52-h1Nyob-HwQ5hz-2VksxE-djg91r-2YxM4G-HA7Uz1-2VksBS-55QcQ-38L9ot-rS5tcr-5uNkEP-4DZX1a">Flickr</a>)</span></p>

<p>As readers of this blog likely know, especially if you read <a href="https://blog.cloudflare.com/standing-up-to-a-dangerous-new-breed-of-patent-troll">this post</a>, Cloudflare has been sued by a dangerous new breed of patent troll, Blackbird Technologies, asserting a very old and very vague patent. And we know we are not alone in being frustrated</p>]]></description><link>https://blog.cloudflare.com/project-jengo/</link><guid isPermaLink="false">8d07f189-7560-46fd-b36c-b72057da7f5a</guid><category><![CDATA[Legal]]></category><category><![CDATA[Community]]></category><dc:creator><![CDATA[Matthew Prince]]></dc:creator><pubDate>Thu, 11 May 2017 15:00:00 GMT</pubDate><content:encoded><![CDATA[<p><img src="https://blog.cloudflare.com/content/images/2017/05/jengo-fett-bounty-hunter.jpg" alt="Bounty Hunter Attacks">
<span style="font-size: 8px">Jengo Fett by Brickset (<a href="https://www.flickr.com/photos/brickset/20549808814/in/photolist-8r5hJF-cZ1HN1-bvJCBN-5DMr2V-iyUpnV-MjmoQ-5DRGUo-5DQAdp-im5qp-bfSN5n-9SWyQc-xiV9dw-xj42yx-yfWvsK-yfWur6-9L3zZU-ydBZmS-xYqVdv-7G1rC5-7zGCni-6YPMH-4E5drd-9SWyqZ-qCQRd-2d9PS3-GWkjSw-aQTCJF-3UoQUy-MP36q-6WBtyF-Rg2Caw-Rg2C2A-aHMSp6-qhUg6-HA7TVW-4GXQrx-h1NiQf-4DZX52-h1Nyob-HwQ5hz-2VksxE-djg91r-2YxM4G-HA7Uz1-2VksBS-55QcQ-38L9ot-rS5tcr-5uNkEP-4DZX1a">Flickr</a>)</span></p>

<p>As readers of this blog likely know, especially if you read <a href="https://blog.cloudflare.com/standing-up-to-a-dangerous-new-breed-of-patent-troll">this post</a>, Cloudflare has been sued by a dangerous new breed of patent troll, Blackbird Technologies, asserting a very old and very vague patent. And we know we are not alone in being frustrated about the way that such patent trolls inhibit the growth of innovative companies. Cloudflare is asking for your help in this effort, and we’re putting our money where our mouth is.  </p>

<p>Patent trolls take advantage of a system they assume is tilted in their favor, where they can take vague technology patents issued years ago and apply them as broadly as imaginable to the latest technology. And they do this without the limitations of having to show the original patent holder would have actually exercised the patent, because most of them don’t, at all. Patent trolls think they can sit back and pick off settlements from companies because their lawsuits are a nuisance and the costs of defending those suits are considerable. </p>

<p>Changing this dynamic and leveling the playing field is going to require an entirely new approach.  Fighting such strong, though perverse, economic incentives is going to require a groundswell. It calls for a large and active group of innovative folks who are willing to join the cause of helping expose the weakness in the patents held by these patent trolls. Exposing the weakness of these patents means finding prior art that demonstrates the patents were issued improperly and working to have the USPTO invalidate those patents before they can be weaponized against legitimate companies that are working to innovate, to provide a livelihood to their employees and their families, and to make good products.  </p>

<p>At Cloudflare, we’re lucky to have the best and most loyal customers on the Internet, a whole bunch of fans who are ridiculously smart and don’t take kindly to lazy trolls who try to take advantage by exploiting bugs in the judicial system. And of course, we’re more than happy to give them a bit of a nudge.</p>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/indiana_jones_warehouse.jpg" alt="Indiana Jones Warehouse">
<span style="font-size: 8px">Indiana Jones: Raiders of the Lost Ark</span></p>

<h4 id="awardsforpriorart">Awards for Prior Art</h4>

<p>Cloudflare is committing up to $50,000 to support a search for prior art that can be used to invalidate patents held by Blackbird Tech…all of them.  By filing 107 lawsuits against companies since September 2014, Blackbird has demonstrated that it is going to use its patents to sue productive companies.  And patent trolls often target newer and more innovative companies, so it is important to investigate and research to discover whether prior art existed on the Blackbird patents and to keep them from filing additional cases against us or against other companies. </p>

<p>By “prior art,” we mean evidence that the patented technology was in use or known before the inventor conceived of or filed for his patent. Often, prior art consists of academic papers, technical websites describing current technology, other patents/patent applications—or, really, any other evidence showing that the technology was in use or known. For example, for the ‘335 patent, we are only asking for evidence that pre-dates the filing date of the patent—July 21, 1998. We will also accept information and arguments which invalidate Blackbird patents such as a showing of obviousness or material defects in the patent application.  And, for our purposes, the “patented technology” is defined by the claims that are listed at the end of the ’355 patent.</p>

<p>The $50,000 will fund two separate awards. </p>

<p>The first bounty (up to $20,000) is for prior art which reads on the patent Blackbird is using to sue Cloudflare, the <a href="https://www.google.com/patents/US6453335">‘335 patent</a>. $10,000 is guaranteed and will be divided among prior art submissions that raise substantive questions on the ‘335 patent.  The remaining $10,000 will be used to compensate prior art submissions that Cloudflare uses as evidence in an invalidation procedure at the USPTO or invalidation at trial. The latest date of prior art on the ‘335 patent would be July 20, 1998.   </p>

<p>The larger bounty (up to $30,000) will be spread among those submitting substantial prior art which reads on any of the 34 other outstanding Blackbird patents or their 3 in-flight patent applications and could lead to the invalidation of these dubious patents. Cloudflare will pay the second bounty to people who submit relevant and substantive prior art which, in Cloudflare’s opinion, reads on any other Blackbird patent. The money will be distributed based on the quality of the prior art, the perceived value of the patent, and the extent to which the evidence is used in a proceeding to invalidate one of the Blackbird patents.  </p>

<p>We will maintain a list of all the Blackbird patents at <a href="https://www.cloudflare.com/blackbirdpatents/">cloudflare.com/blackbirdpatents/</a>.  The list will provide the number of each patent, the relevant latest date of prior art, and will list germane already-identified prior art.  We will update the list periodically as we get new information submitted.</p>

<h4 id="howtoparticipate">How to participate</h4>

<p>You may submit your suggestion for prior art either through <a href="https://www.cloudflare.com/priorartsearch/">cloudflare.com/priorartsearch/</a>.  Cloudflare’s experts and attorneys will review each submission for its value in invalidating each patent.  Again, the money will be awarded based on relevance and usefulness.  Cloudflare will keep the award will be open until the end of our litigation, but we may start making initial partial awards as early as within 90 days.</p>

<p>In order to be eligible for any bounty you need to be the first person to submit a particular piece of prior art and the prior art must not be known to Cloudflare (e.g., the prior art must not be listed on the face of the Blackbird patent or in the patent prosecution’s history). For each submission of prior art, you will need to give us your name and contact information.  In your submission, you will need to document:</p>

<ul>
<li>Your name and email address</li>
<li>The number of the Blackbird patent at issue</li>
<li>What the prior art is.</li>
<li>Where you found it.</li>
<li>When it was first publicly available.</li>
<li>Where it was first publicly available.</li>
<li>Why you think it reads on a Blackbird’s patent.</li>
<li>Any other information which you think is helpful to our review.</li>
</ul>

<p>Big hint: don’t go to Google’s patent page and click on the prior art button, we’ve already done that.  We will then use our outside patent counsel to evaluate the responses and divide the award based on relevance and usefulness. See here <a href="https://www.cloudflare.com/priorartrules/">cloudflare.com/priorartrules/</a> for official rules and details.</p>

<p>Patent trolls like Blackbird have demonstrated that they can’t be trusted to act responsibly or take the public good into account when asserting patents against practicing companies. Making clear that its patents are invalid, or significantly narrower than Blackbird is likely to assert, is another way we can limit Blackbird’s ability to create economic harm.  </p>]]></content:encoded></item><item><title><![CDATA[Cape Town (South Africa): Cloudflare Data Center #113]]></title><description><![CDATA[<p><img src="https://blog.cloudflare.com/content/images/2017/05/Cape_Town_South_Africa_113.png" alt="alt"></p>

<p>Five fun facts:</p>

<ul>
<li>Cape Town is where the Atlantic Ocean and the Indian Ocean meet deep in the Southern Hemisphere.<br></li>
<li>The city is the start of the <a href="http://www.southafrica.net/za/en/articles/entry/article-southafrica.net-the-garden-route">Garden Route</a>, a 185 mile (300 km) glorious coastal drive brimming with native flowers and stunning vistas.<br></li>
<li>Cape Town is the gateway into</li></ul>]]></description><link>https://blog.cloudflare.com/cape-town-south-africa/</link><guid isPermaLink="false">e91f0690-2f1e-423d-9bc2-7e2703fbfdec</guid><category><![CDATA[Data Center]]></category><category><![CDATA[South Africa]]></category><category><![CDATA[Africa]]></category><category><![CDATA[Network Map]]></category><category><![CDATA[Johannesburg]]></category><category><![CDATA[Cape Town]]></category><dc:creator><![CDATA[Martin J Levy]]></dc:creator><pubDate>Thu, 11 May 2017 04:13:38 GMT</pubDate><media:content url="http://blog.cloudflare.com/content/images/2017/05/Cape_Town_South_Africa_113-1.png" medium="image"/><content:encoded><![CDATA[<img src="http://blog.cloudflare.com/content/images/2017/05/Cape_Town_South_Africa_113-1.png" alt="Cape Town (South Africa): Cloudflare Data Center #113"><p><img src="https://blog.cloudflare.com/content/images/2017/05/Cape_Town_South_Africa_113.png" alt="Cape Town (South Africa): Cloudflare Data Center #113"></p>

<p>Five fun facts:</p>

<ul>
<li>Cape Town is where the Atlantic Ocean and the Indian Ocean meet deep in the Southern Hemisphere.<br></li>
<li>The city is the start of the <a href="http://www.southafrica.net/za/en/articles/entry/article-southafrica.net-the-garden-route">Garden Route</a>, a 185 mile (300 km) glorious coastal drive brimming with native flowers and stunning vistas.<br></li>
<li>Cape Town is the gateway into the Stellenbosch and Franschhoek wine districts that make for very popular weekend excursions.<br></li>
<li>The imposing Table Mountain can be seen from most of Cape Town. When you take the cable car to the top of the mountain, the view from up there is even more stunning.<br></li>
<li>Cape Town is where Cloudflare has placed its 113th data center.<br></li>
</ul>

<h2 id="seconddatacenterinsouthafrica">Second data center in South Africa</h2>

<p>Back in December 2014, Cloudflare opened our first data center in Africa and our 30th datacenter globally. That was in <a href="https://blog.cloudflare.com/johannesburg-cloudflares-30th-data-center/">Johannesburg</a>, which has since seen over 10x growth in traffic delivered to South Africa and surrounding countries.</p>

<p>Now, we are expanding into our second city in South Africa — Cape Town, bringing us 870 miles (1,400km) closer to millions of Internet users. Only 15% smaller than Johannesburg by population, Cape Town commands a majority of the tourism business for the country.</p>

<p>For Cloudflare, our newest deployment reinforces our commitment to helping build a better Internet in South Africa and Southern Africa as a whole. Expanding on our existing peering at the <a href="https://wiki.inx.net.za/display/pub/JINX+-+Johannesburg+Internet+Exchange">JINX</a> and <a href="https://www.napafrica.net">NAPAfrica</a> Internet exchanges in Johannesburg, we are now also a member at NAPAfrica Cape Town. As we enable the interconnections with in-country hosts and ISPs, we will distribute and optimize traffic delivery, while providing in-country redundancy for millions of Internet properties.</p>

<p>Cloudflare now operates six data centers across Africa. Cape Town joins existing facilities in <a href="https://blog.cloudflare.com/cairo/">Cairo</a> (Egypt), <a href="https://blog.cloudflare.com/amsterdam-to-zhuzhou-cloudflare-global-network/">Luanda</a> (Angola), <a href="https://blog.cloudflare.com/mombasa-kenya-cloudflares-43rd-data-center/">Mombasa</a> (Kenya), <a href="https://blog.cloudflare.com/curacao-and-djibouti/">Djibouti</a> (Djibouti), and <a href="https://blog.cloudflare.com/johannesburg-cloudflares-30th-data-center/">Johannesburg</a> (South Africa).</p>

<h2 id="capetownandjohannesburgequallyserved">Cape Town and Johannesburg equally served</h2>

<p>In the graph below, Gauteng is the province containing Johannesburg and the nation's capital Pretoria, whereas the Western Cape province includes Cape Town and the aforementioned wine districts. With the second data center now operational in South Africa, we are seeing near equivalent performance over both major cities.</p>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/Cape_Town_South_Africa_Cedexis_Weekly_Graph.png" alt="Cape Town (South Africa): Cloudflare Data Center #113">
<em>Latency (ms) decreases to Cloudflare customers. Source: Cedexis</em></p>

<h2 id="twomorecities">Two More Cities</h2>

<p><a href="https://blog.cloudflare.com/colombo/">Colombo</a> and Cape Town are the first two of four data centers going live this week. Our next two deployments, yet to be revealed, will provide additional redundancy to existing facilities in North America. Can you guess the cities they are in?</p>]]></content:encoded></item><item><title><![CDATA[How Cloudflare analyzes 1M DNS queries per second]]></title><description><![CDATA[<p>On Friday, we <a href="https://blog.cloudflare.com/dns-analytics/">announced DNS analytics</a> for all Cloudflare customers. Because of our scale –– by the time you’ve finished reading this, Cloudflare DNS will have handled millions of DNS queries –– we had to be creative in our implementation. In this post, we’ll describe the systems that make up</p>]]></description><link>https://blog.cloudflare.com/how-cloudflare-analyzes-1m-dns-queries-per-second/</link><guid isPermaLink="false">17a23f95-37cd-45b4-bf98-49b7493530ed</guid><category><![CDATA[DNS]]></category><category><![CDATA[Analytics]]></category><category><![CDATA[Cap'n Proto]]></category><category><![CDATA[Performance]]></category><dc:creator><![CDATA[Marek Vavruša]]></dc:creator><pubDate>Wed, 10 May 2017 21:50:20 GMT</pubDate><content:encoded><![CDATA[<p>On Friday, we <a href="https://blog.cloudflare.com/dns-analytics/">announced DNS analytics</a> for all Cloudflare customers. Because of our scale –– by the time you’ve finished reading this, Cloudflare DNS will have handled millions of DNS queries –– we had to be creative in our implementation. In this post, we’ll describe the systems that make up DNS Analytics which help us comb through trillions of these logs each month. </p>

<h2 id="howlogscomeinfromtheedge">How logs come in from the edge</h2>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/Screen-Shot-2017-05-10-at-2.35.39-PM.png" alt=""></p>

<p>Cloudflare already has a <a href="https://blog.cloudflare.com/scaling-out-postgresql-for-cloudflare-analytics-using-citusdb">data pipeline for HTTP logs</a>. We wanted to utilize what we could of that system for the new DNS analytics. Every time one of our edge services gets an HTTP request, it generates a structured log message in the <a href="https://capnproto.org">Cap’n Proto</a> format and sends it to a local multiplexer service. Given the volume of the data, we chose not to record the full DNS message payload, only telemetry data we are interested in such as response code, size, or query name, which has allowed us to keep only ~150 bytes on average per message. It is then fused with processing metadata such as timing information and exceptions triggered during query processing. The benefit of fusing data and metadata at the edge is that we can spread the computational cost across our thousands of edge servers, and log only what we absolutely need.</p>

<p>The multiplexer service (known as “log forwarder”) is running on each edge node, assembling log messages from multiple services and transporting them to our warehouse for processing over a TLS secured channel. A counterpart service running in the warehouse receives and demultiplexes the logs into several Apache Kafka clusters. Over the years, Apache Kafka has proven to be an invaluable service for buffering between producers and downstream consumers, preventing data loss when consumers fail over or require maintenance. Since version 0.10, Kafka allows <a href="https://issues.apache.org/jira/browse/KAFKA-1215">rack-aware allocation of replicas</a>, which improves resilience against rack or site failure, giving us fault tolerant storage of unprocessed messages.</p>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/data-pipeline-lg.png" alt=""></p>

<p>Having a queue with structured logs has allowed us to investigate issues retrospectively without requiring access to production nodes, but it has proven to be quite laborious at times. In the early days of the project we would skim the queue to find offsets for the rough timespan we needed, and then extract the data into HDFS in <a href="https://parquet.apache.org">Parquet</a> format for offline analysis. </p>

<h2 id="aboutaggregations">About aggregations</h2>

<p>The HTTP analytics service was built around stream processors generating aggregations, so we planned to leverage Apache Spark to stream the logs to HDFS automatically. As Parquet doesn’t natively support indexes or arranging the data in a way that avoids full table scans, it’s impractical for on-line analysis or serving reports over an API. There are extensions like <a href="https://github.com/lightcopy/parquet-index">parquet-index</a> that create indexes over the data, but not on-the-fly. Given this, the initial plan was to only show aggregated reports to customers, and keep the raw data for internal troubleshooting.</p>

<p>The problem with aggregated summaries is that they only work on columns with low cardinality (a number of unique values). With aggregation, each column in a given time frame explodes to the number of rows equal to the number of unique entries, so it’s viable to aggregate on something like response code which only has 12 possible values, but not a query name for example. Domain names are subject to popularity, so if, for example, a popular domain name gets asked 1,000 times a minute, one could expect to achieve 1000x row reduction for per-minute aggregation, however in practice it is not so. </p>

<p>Due to how DNS caching works, resolvers will answer identical queries from cache without going to the authoritative server for the duration of the TTL. The TTL tends to be longer than a minute. So, while authoritative servers see the same request many times, our data is skewed towards non-cacheable queries such as typos or random prefix subdomain attacks. In practice, we see anywhere between 0 - 60x row reduction when aggregating by query names, so storing aggregations in multiple resolutions almost negates the row reduction. Aggregations are also done with multiple resolution and key combinations, so aggregating on a high cardinality column can even result in more rows than original.</p>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/data-agg-lg-1.png" alt=""></p>

<p>For these reasons we started by only aggregating logs at the zone level, which was useful enough for trends, but too coarse for root cause analysis. For example, in one case we were investigating short bursts of unavailability in one of our data centers. Having unaggregated data allowed us to narrow the issue down to the specific DNS queries experiencing latency spikes, and then correlated the queries with a misconfigured firewall rule. Cases like these would be much harder to investigate with only aggregated data as it only affected a tiny percentage of requests that would be lost in the aggregations.</p>

<p>So we started looking into several OLAP (Online Analytical Processing) systems. The first system we looked into was <a href="http://druid.io">Druid</a>. We were really impressed with the capabilities and how the front-end (Pivot and formerly Caravel) is able to slice and dice the data, allowing us to generate reports with arbitrary dimensions. Druid has already been deployed in similar environments with over 100B events/day, so we were confident it could work, but after testing on sampled data we couldn’t justify the hardware costs of hundreds of nodes. Around the same time Yandex open-sourced their OLAP system, <a href="https://clickhouse.yandex/">ClickHouse</a>.</p>

<h2 id="andthenitclicked">And then it Clicked</h2>

<p>ClickHouse has a much simpler system design - all the nodes in a cluster have equal functionality and use only <a href="https://zookeeper.apache.org/">ZooKeeper</a> for coordination. We built a small cluster of several nodes to start kicking the tires, and found the performance to be quite impressive and true to the results advertised in the <a href="https://clickhouse.yandex/benchmark.html">performance comparisons of analytical DBMS</a>, so we proceeded with building a proof of concept. The first obstacle was a lack of tooling and the small size of the community, so we delved into the ClickHouse design to understand how it works.</p>

<p>ClickHouse doesn’t support ingestion from Kafka directly, as it’s only a database, so we wrote an adapter service in Go. It read Cap’n Proto encoded messages from Kafka, converted them into TSV, and inserted into ClickHouse over the HTTP interface in batches. Later, we rewrote the service to use a <a href="https://github.com/kshvakov/clickhouse">Go library</a> using the native ClickHouse interface to boost performance. Since then, we’ve contributed some performance improvements back to the project. One thing we learned during the ingestion performance evaluation is that ClickHouse ingestion performance highly depends on batch size - the number of rows you insert at once. To understand why, we looked further into how ClickHouse stores data.</p>

<p>The most common table engine ClickHouse uses for storage is the MergeTree family. It is conceptually similar to <a href="https://en.wikipedia.org/wiki/Log-structured_merge-tree">LSM algorithm</a> used in <a href="https://www.igvita.com/2012/02/06/sstable-and-log-structured-storage-leveldb">Google’s BigTable</a> or Apache Cassandra, however it avoids an intermediate memory table, and writes directly to disk. This gives it excellent write throughput, as each inserted batch is only sorted by “primary key”, compressed, and written to disk to form a segment. The absence of a memory table or any notion of “freshness” of the data also means that it is append-only and data modification or deletion isn’t supported. The only way to delete data currently is to remove data by calendar months, as segments never overlap a month boundary. The ClickHouse team is actively working on making this configurable. On the other hand, this makes writing and segment merging conflict-free, so the ingestion throughput scales linearly with the number of parallel inserts until the I/O or cores are saturated. This, however, also means it is not fit for tiny batches, which is why we rely on Kafka and inserter services for buffering. ClickHouse then keeps constantly merging segments in the background, so many small parts will be merged and written more times (thus increasing write amplification) and too many unmerged parts will trigger aggressive throttling of insertions until the merging progresses. We have found that several insertions per table per second work best as a tradeoff between real-time ingestion and ingestion performance.</p>

<p>The key to table read performance is indexing and the arrangement of the data on disk. No matter how fast processing is, when the engine needs to scan terabytes of data from disk and use only a fraction of it, it’s going to take time. ClickHouse is a columnar store, so each segment contains a file for each column, with sorted values for each row. This way whole columns not present in the query can be skipped, and then multiple cells can be processed in parallel with vectorized execution. In order to avoid full scans, each segment also has a sparse index file. Given that all columns are sorted by the “primary key”, the index file only contains marks (captured rows) of every Nth row in order to be able to keep it in memory even for very large tables. For example the default settings is to make a mark of every 8,192th row. This way only 122,070 marks are required to sparsely index a table with 1 trillion rows, which easily fits in memory. See <a href="https://medium.com/@f1yegor/clickhouse-primary-keys-2cf2a45d7324">primary keys in ClickHouse</a> for a deeper dive into how it works.</p>

<p>When querying the table using primary key columns, the index returns approximate ranges of rows considered. Ideally the ranges should be wide and contiguous. For example, when the typical usage is to generate reports for individual zones, placing the zone on the first position of the primary key will result in rows sorted by zone in each column, making the disk reads for individual zones contiguous, whereas sorting primarily by timestamp would not. The rows can be sorted in only one way, so the primary key must be chosen carefully with the typical query load in mind. In our case, we optimized read queries for individual zones and have a separate table with sampled data for exploratory queries. The lesson learned is that instead of trying to optimize the index for all purposes and splitting the difference, we have made several tables instead.</p>

<p>One such specialisation are tables with aggregations over zones. Queries across all rows are significantly more expensive, as there is no opportunity to exclude data from scanning. This makes it less practical for analysts to compute basic aggregations on long periods of time, so we decided to use <a href="https://clickhouse.yandex/reference_en.html#CREATE%20VIEW">materialized views</a> to incrementally compute predefined aggregations, such as counters, uniques, and quantiles. The materialized views leverage the sort phase on batch insertion to do productive work - computing aggregations. So after the newly inserted segment is sorted, it also produces a table with rows representing dimensions, and columns representing <a href="https://github.com/yandex/ClickHouse/blob/master/doc/developers/architecture.md#aggregate-functions">aggregation function state</a>. The difference between aggregation state and final result is that we can generate reports using an arbitrary time resolution without actually storing the precomputed data in multiple resolutions. In some cases the state and result can be the same -  for example basic counters, where hourly counts can be produced by summing per-minute counts, however it doesn’t make sense to sum unique visitors or latency quantiles. This is when aggregation state is much more useful, as it allows meaningful merging of more complicated states, such as <a href="https://en.wikipedia.org/wiki/HyperLogLog">HyperLogLog (HLL)</a> bitmap to produce hourly unique visitors estimate from minutely aggregations. The downside is that storing state can be much more expensive than final values - the aforementioned HLL state tends to be 20-100 bytes / row when compressed, while a counter is only 8 bytes (1 byte compressed on average). These tables are then used to quickly visualise general trends across zones or sites, and also by our API service that uses them opportunistically for simple queries. Having both incrementally aggregated and unaggregated data in the same place allowed us simplify the architecture by deprecating stream processing altogether.</p>

<h2 id="infrastructureanddataintegrity">Infrastructure and data integrity</h2>

<p>We started with RAID-10 composed of 12 6TB spinning disks on each node, but reevaluated it after the first inevitable disk failures. In the second iteration we migrated to RAID-0, for two reasons. First, it wasn’t possible to hot-swap just the faulty disks, and second the array rebuild took tens of hours which degraded I/O performance. It was significantly faster to replace a faulty node and use internal replication to populate it with data over the network (2x10GbE), than to wait for an array to finish rebuilding. To compensate for higher probability of node failure, we switched to 3-way replication and allocated replicas of each shard to different racks, and started planning for replication to a separate data warehouse.</p>

<p>Another disk failure <a href="https://github.com/yandex/ClickHouse/issues/520">highlighted a problem</a> with the filesystem we used. Initially we used XFS, but it started to lock up during replication from 2 peers at the same time, thus breaking replication of segments before it completed. This issue has manifested itself with a lot of I/O activity with little disk usage increase as broken parts were deleted, so we gradually migrated to ext4 that didn’t have the same issue.</p>

<h2 id="visualizingdata">Visualizing Data</h2>

<p>At the time we relied solely on <a href="http://pandas.pydata.org">Pandas</a> and <a href="https://clickhouse.yandex/reference_en.html#HTTP%20interface">ClickHouse’s HTTP interface</a> for ad-hoc analyses, but we wanted to make it more accessible for both analysis and monitoring. Since we knew Caravel - now renamed to <a href="https://github.com/airbnb/superset">Superset</a> - from the experiments with Druid, we started working on an integration with ClickHouse. </p>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/superset-1.png" alt=""></p>

<p>Superset is a data visualisation platform designed to be intuitive, and allows analysts to interactively slice and dice the data without writing a single line of SQL. It was initially <a href="https://medium.com/airbnb-engineering/caravel-airbnb-s-data-exploration-platform-15a72aa610e5">built and open sourced by AirBnB</a> for Druid, but over time it has gained support for SQL-based backends using <a href="https://www.sqlalchemy.org">SQLAlchemy</a>, an abstraction and ORM for tens of different database dialects. So we wrote and open-sourced a <a href="https://github.com/cloudflare/sqlalchemy-clickhouse">ClickHouse dialect</a> and finally a native <a href="https://github.com/airbnb/superset/pull/1844">Superset integration</a> that has been merged a few days ago.</p>

<p>Superset has served us well for ad-hoc visualisations, but it is still not polished enough for our monitoring use case. At Cloudflare we’re heavy users of Grafana for visualisation of all our metrics, so we wrote and open-sourced a <a href="https://github.com/vavrusa/grafana-sqldb-datasource">Grafana integration</a> as well.</p>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/Screen-Shot-2017-05-08-at-12.39.47-1.png" alt=""></p>

<p>It has allowed us to seamlessly extend our existing monitoring dashboards with the new analytical data. We liked it so much that we wanted to give the same ability to look at the analytics data to you, our users. So we built a <a href="https://blog.cloudflare.com/grafana-plugin">Grafana app</a> to visualise data from Cloudflare DNS Analytics. Finally, we made it available in your <a href="https://blog.cloudflare.com/dns-analytics/">Cloudflare dashboard analytics</a>. Over time we’re going to add new data sources, dimensions, and other useful ways how to visualise your data from Cloudflare. Let us know what you’d like to see next.</p>

<p>Does solving these kinds of technical and operational challenges excite you? Cloudflare is always hiring for talented specialists and generalists within our <a href="https://www.cloudflare.com/careers/departments/engineering/">Engineering</a>, <a href="https://www.cloudflare.com/careers/departments/technical-operations/">Technical Operations</a> and <a href="https://www.cloudflare.com/careers">other teams</a>.</p>]]></content:encoded></item><item><title><![CDATA[Colombo, Sri Lanka: Six million Internet properties now faster for six million Internet users]]></title><description><![CDATA[<p><img src="https://blog.cloudflare.com/content/images/2017/05/Colombo-112-01.png" alt="" title=""><br></p>

<p>We are excited to add four new data centers this week to Cloudflare's growing <a href="https://www.cloudflare.com/network/">network</a>, beginning with Colombo, Sri Lanka. This deployment is our 112th data center globally, and our 38th in Asia.<br></p>

<h1 id="fasterperformance">Faster Performance</h1>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/SL_Tea-1.jpg" alt="">
<em><br><small><a href="https://creativecommons.org/licenses/by/2.0/">CC BY-NC-ND 2.0</a> <a href="https://flic.kr/p/bU5Loa">image</a> by <a href="https://www.flickr.com/photos/lukecz/">Pavel Dobrovsky</a></small></em></p>

<p>Six million Internet properties using Cloudflare are</p>]]></description><link>https://blog.cloudflare.com/colombo/</link><guid isPermaLink="false">01e6b5d5-dd95-4f6f-94ed-cd5c860e6355</guid><category><![CDATA[Data Center]]></category><category><![CDATA[Asia]]></category><category><![CDATA[Sri Lanka]]></category><category><![CDATA[Network Map]]></category><dc:creator><![CDATA[Nitin Rao]]></dc:creator><pubDate>Tue, 09 May 2017 05:13:00 GMT</pubDate><media:content url="http://blog.cloudflare.com/content/images/2017/05/Colombo-112-01-1.png" medium="image"/><content:encoded><![CDATA[<img src="http://blog.cloudflare.com/content/images/2017/05/Colombo-112-01-1.png" alt="Colombo, Sri Lanka: Six million Internet properties now faster for six million Internet users"><p><img src="https://blog.cloudflare.com/content/images/2017/05/Colombo-112-01.png" alt="Colombo, Sri Lanka: Six million Internet properties now faster for six million Internet users" title=""><br></p>

<p>We are excited to add four new data centers this week to Cloudflare's growing <a href="https://www.cloudflare.com/network/">network</a>, beginning with Colombo, Sri Lanka. This deployment is our 112th data center globally, and our 38th in Asia.<br></p>

<h1 id="fasterperformance">Faster Performance</h1>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/SL_Tea-1.jpg" alt="Colombo, Sri Lanka: Six million Internet properties now faster for six million Internet users">
<em><br><small><a href="https://creativecommons.org/licenses/by/2.0/">CC BY-NC-ND 2.0</a> <a href="https://flic.kr/p/bU5Loa">image</a> by <a href="https://www.flickr.com/photos/lukecz/">Pavel Dobrovsky</a></small></em></p>

<p>Six million Internet properties using Cloudflare are now even faster across the island country of Sri Lanka. Previously, local visitors to Cloudflare customers were served out of our <a href="https://blog.cloudflare.com/cloudflares-singapore-data-center-now-online/">Singapore</a> or <a href="https://blog.cloudflare.com/middle-east-expansion/">Dubai</a> data centers.<br></p>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/SL_Latency-1.png" alt="Colombo, Sri Lanka: Six million Internet properties now faster for six million Internet users">
<em>Latency (ms) decreases 4x to Cloudflare customers. Source: <a href="https://www.cedexis.com/">Cedexis</a></em></p>

<p>Sri Lanka added over one million Internet users in the past year alone. At ~30% Internet penetration, there is considerable room to grow.</p>

<h1 id="nextthreecities">Next Three Cities</h1>

<p>Our deployments to be revealed later this week will provide additional redundancy to existing facilities in North America and Africa. </p>

<p>If you enjoy the idea of helping build one of the world's largest networks, come <a href="https://www.cloudflare.com/careers/">join our team</a>!</p>]]></content:encoded></item><item><title><![CDATA[Anonymity and Abuse Reports]]></title><description><![CDATA[<p>Last Thursday, ProPublica published <a href="https://www.propublica.org/article/how-cloudflare-helps-serve-up-hate-on-the-web">an article</a> critiquing our handling of some abuse reports that we receive. Feedback from the article caused us to reevaluate how we handle abuse reports. As a result, we've decided to update our abuse reporting system to allow individuals reporting threats and child sexual abuse material</p>]]></description><link>https://blog.cloudflare.com/anonymity-and-abuse-reports/</link><guid isPermaLink="false">999d00d2-f515-41c7-a3df-fd3822f47be4</guid><category><![CDATA[Freedom of Speech]]></category><category><![CDATA[Feedback]]></category><category><![CDATA[Community]]></category><category><![CDATA[Support]]></category><category><![CDATA[Abuse]]></category><dc:creator><![CDATA[Matthew Prince]]></dc:creator><pubDate>Sun, 07 May 2017 19:35:34 GMT</pubDate><content:encoded><![CDATA[<p>Last Thursday, ProPublica published <a href="https://www.propublica.org/article/how-cloudflare-helps-serve-up-hate-on-the-web">an article</a> critiquing our handling of some abuse reports that we receive. Feedback from the article caused us to reevaluate how we handle abuse reports. As a result, we've decided to update our abuse reporting system to allow individuals reporting threats and child sexual abuse material to do so anonymously. We are rolling this change out and expect it to be available by the end of the week.</p>

<p>I appreciate the feedback we received. How we handle abuse reports has evolved over the last six and a half years of Cloudflare's history. I wanted to take this opportunity to walk through some of the rationale that got us to this point and caused us to have a blindspot to the case that was highlighted in the article.</p>

<h4 id="whatiscloudflare">What Is Cloudflare?</h4>

<p>Cloudflare is not a hosting provider. We do not store the definitive copy of any of the content that someone may want to file an abuse claim about. If we terminate a customer it doesn’t make the content go away. Instead, we are more akin to a specialized network. One of the functions of the network that we provide is to add security to the content providers that use us. Part of doing that inherently involves hiding the location of the actual hosting provider. If we didn't do this, a malicious attacker could simply bypass Cloudflare by attacking the host directly.</p>

<p>That created an early question on what we should do when someone reported abusive content that was passing through our network. The first principle was we believed it was important for us to not stand in the way of valid abuse reports being submitted. The litmus test that we came up with was that the existence of Cloudflare ideally shouldn't make it any harder, or any easier, to report and address abuse.</p>

<h4 id="mistakesofearlyabusereporting">Mistakes of Early Abuse Reporting</h4>

<p>The majority (83% over the last week) of the abuse reports that we get involve allegedly copyrighted material transiting our network. Our early abuse policy specified that if we received an abuse report alleging copyrighted material we'd turn over the IP address of the hosting provider so the person filing the abuse report could report the abuse directly.</p>

<p>It didn't take long for malicious attackers to realize this provided an effective way to bypass our protections. They would submit a fake report alleging some image on a legitimate site had been illegally copied, we'd turn over the IP address of our customer, and they'd attack it directly. Clearly that wasn't a workable model.</p>

<p>As a result, we revised our policy to instead act as a proxy for abuse reports that were submitted to us. If a report was submitted then we'd proxy the report through and forward it to the site owner as well as the site's host. We provided the contact information so the parties could address the issue between themselves.</p>

<p>While we have a Trust &amp; Safety team that is staffed around the clock, for the most part abuse handling is automated. Various firms that specialize in finding and taking down copyrighted material generate such a flood, often submitting hundreds of reports for the same allegedly copyrighted item, that manual review of every report would be infeasible.</p>

<h4 id="violentthreatsandchildsexualabuse">Violent Threats and Child Sexual Abuse</h4>

<p>We've always treated reports of violent threats and child sexual abuse material with additional care. Understandably, from the perspective of the individuals in the ProPublica article, it seems callous and absurd that we would ever forward these reports to the site owner. However, we had a different perspective.</p>

<p>The vast majority of times that violent threats or child sexual abuse material were reported to us occurred on sites that were not dedicated to those topics. Imagine a social network like Facebook was a Cloudflare customer. Somewhere on the site something was posted that included a violent threat. That post was then reported to Cloudflare as the network that sits in front of the Facebook-like site.</p>

<p>In our early days, it seemed reasonable and responsible to pass the complaint on to the Facebook-like customer who could then follow up directly. That also met the litmus test of being what would happen if Cloudflare didn't exist. What the policy didn't account for was site owners who could not be trusted to act responsibly with abuse reports including contact information.</p>

<h4 id="anonymousreporting">Anonymous Reporting</h4>

<p>Beginning in 2014, we saw limited, but very concerning, reports of retaliation based on submitted abuse reports. As a result, we adjusted our process to make it so complaints about violent threats and child sexual abuse material would be sent only to the host, not to the site owner.</p>

<p>We’ve confirmed that in the cases reported to the site mentioned in the ProPublica article we followed this procedure. That change largely addressed the problem of people reporting abuse getting harassed. What we didn’t anticipate is that some hosts would themselves pass the full complaint, including the reporter’s contact information, on to the site owner. We assume this is what happened in the ProPublica cases.</p>

<p>Another change we made in 2015 was to clarify exactly what would happen when someone submitted a report by adding disclaimers to our <a href="https://www.cloudflare.com/abuse">abuse form</a>. These disclaimers appear in multiple places throughout the abuse submission flow:</p>

<div style="border-left: thick solid #000000; padding-left: 10px; margin-top: 20px; margin-bottom: 20px;"><i>“Cloudflare will forward all abuse reports that appear to be legitimate to the responsible hosting provider and to the website owner.”</i></div>

<div style="border-left: thick solid #000000; padding-left: 10px; margin-top: 20px; margin-bottom: 20px;"><i>"By submitting this report, you consent to the above information potentially being released by Cloudflare to third parties such as the website owner, the responsible hosting provider, law enforcement, and/or entities like Chilling Effects."</i></div>

<p>In a world without Cloudflare, if you wanted to anonymously report something, you would use a disposable email and a fake name and submit a report to the site's hosting provider or the site itself. We didn't do anything to check that the contact information used in reports was valid so we assumed, with the disclaimer in place, if people wanted to submit reports anonymously they'd do the same thing as they would have if Cloudflare didn't exist.</p>

<p>That was a bad assumption. As the ProPublica article made clear, many people did not read or understand the disclaimer and were surprised that we forwarded their full abuse report to the host who then, in some cases, could forward it to the site owner.</p>

<h4 id="determiningbadactors">Determining Bad Actors</h4>

<p>In reevaluating our policy a key question was when it is appropriate to pass along the full report and when it is not. Again, from the perspective of the author of the ProPublica article, that may seem like an easy distinction. The reality is that requiring an individual working on our Trust &amp; Safety team understand the nature of every site that is on Cloudflare is untenable. Moreover, adding more human intervention that slows down the process of reporting abuse, especially in cases of violent threats and child sexual abuse material, where time may be of the essence, strikes us as a step backward.</p>

<p>Instead, we took the suggestions of many of the comments we received and are implementing a policy where reporters of these types of abuse can choose to submit them and not have their contact information included in what we forward. The person making the abuse report seems in the best position to judge whether or not they want their information to be relayed. Making this change requires some engineering work on our part, but we have prioritized it. By the end of this week, someone submitting an abuse report for one of these categories will have the choice of whether to do so anonymously.</p>

<h4 id="ongoingimprovements">Ongoing Improvements</h4>

<p>We are under no illusion that this latest iteration of our abuse process is perfect. In fact, we already have concerns about challenges the new system will create. Anonymous reporting opens a new vector for malicious actors to submit false reports and harass Cloudflare customers. In addition, for responsible Cloudflare customers who want to act on reports, anonymous reports may make it more difficult for them to gather more information from the reporter which may make it more difficult for well-informed action to be taken to address the issue.</p>

<p>We appreciate the feedback on where our previous process broke down. As new problems arise, we anticipate that we'll continue to need to make changes to how we handle abuse reports.</p>

<h4 id="finalthoughtsoncensoringtheinternet">Final Thoughts on Censoring the Internet</h4>

<p>While we clearly had a significant blindspot in how we handled one type of abuse reports, we remain committed to our belief that it is not Cloudflare's role to make determinations on what content should and should not be online. That belief comes from a number of principles.</p>

<p>Cloudflare is more akin to a network than a hosting provider. I'd be deeply troubled if my ISP started restricting what types of content I can access. As a network, we don't think it's appropriate for Cloudflare to be making those restrictions either.</p>

<p>That is not to say we support all the content that passes through Cloudflare's network. We, both as an organization and as individuals, have political beliefs and views of what is right and wrong. There are institutions — law enforcement, legislatures, and courts — that have a social and political legitimacy to determine what content is legal and illegal. We follow the lead of those organizations in all the jurisdictions we operate. But, as more and more of the Internet sits behind fewer and fewer private companies, we're concerned that the political beliefs and biases of those organizations will determine what can and cannot be online.</p>

<p>If you're interested, I gave <a href="https://www.youtube.com/watch?v=SWFX-zEYwN0">a talk a few years ago</a> about how we think about our role in policing online content. It's about an hour long, but if you're interested in the topic, I encourage you to watch it in order to better understand our perspective.</p>

<iframe width="560" height="315" src="https://www.youtube.com/embed/SWFX-zEYwN0" frameborder="0" allowfullscreen style="margin-bottom: 20px;"></iframe>  

<p><br><br> <br>
From time to time an organization will sign up for Cloudflare that we find revolting because they stand for something that is the opposite of what we think is right. Usually, those organizations don't pay us. Every once in awhile one of them does. When that happens it's one of the greatest pleasures of my job to quietly write the check for 100% of what they pay us to an organization that opposes them. The best way to fight hateful speech is with more speech. </p>

<p>I appreciate the feedback on how we can improve our abuse process. We are implementing the changes that were recommended. They take engineering, so they aren't available immediately, but will be live by the end of this week. We continue to iterate and improve on our mission of helping build a better Internet.</p>]]></content:encoded></item><item><title><![CDATA[Meet The Brand New DNS Analytics Dashboard]]></title><description><![CDATA[<p><img src="https://blog.cloudflare.com/content/images/2017/05/dns-analytics-cloudflare.png" alt=""></p>

<p>Have you noticed something new in your Cloudflare analytics dashboard this morning? You can now see detailed DNS analytics for your domains on Cloudflare. </p>

<p>If you want to skip to the punch and start exploring, go check it out <a href="https://www.cloudflare.com/a/analytics/">here</a>. Otherwise, hop on the DNS magic school bus - and</p>]]></description><link>https://blog.cloudflare.com/dns-analytics/</link><guid isPermaLink="false">63c22fd0-0ce8-4b47-a17a-2bfdb069f135</guid><category><![CDATA[DNS]]></category><category><![CDATA[Analytics]]></category><category><![CDATA[Reliability]]></category><category><![CDATA[Performance]]></category><dc:creator><![CDATA[Dani Grant]]></dc:creator><pubDate>Fri, 05 May 2017 14:55:53 GMT</pubDate><content:encoded><![CDATA[<p><img src="https://blog.cloudflare.com/content/images/2017/05/dns-analytics-cloudflare.png" alt=""></p>

<p>Have you noticed something new in your Cloudflare analytics dashboard this morning? You can now see detailed DNS analytics for your domains on Cloudflare. </p>

<p>If you want to skip to the punch and start exploring, go check it out <a href="https://www.cloudflare.com/a/analytics/">here</a>. Otherwise, hop on the DNS magic school bus - and let us show you all the neat stats in your now-available DNS analytics.</p>

<h2 id="dnsanalyticsdashboardwhatdoesitknowdoesitknowthingsletsfindout">DNS analytics dashboard: What does it know? Does it know things? Let’s find out.</h2>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/dns-analytics-cloudflare-queries-by-response-code.png" alt=""></p>

<p>At the top of the DNS analytics dashboard you can see your DNS traffic health. This “Queries by Response Codes” graph breaks down queries by what response code Cloudflare DNS answered to the visitor. Like HTTP response codes, DNS response codes give an indication of what is happening behind the scenes. Mostly you will just see NOERROR, the HTTP 200 of DNS response codes, and NXDOMAIN, the HTTP 404 of DNS response codes. NXDOMAIN is particularly interesting - what are people querying for that doesn’t exist?</p>

<p>If you are an enterprise customer and you want to know what all the NXDOMAIN queries are, just scroll down a little bit where we show you the top queries for your domain and top queries for your domain for DNS records that don’t exist (aka top NXDOMAIN queries).</p>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/dns-analytics-cloudflare-top-n.png" alt=""></p>

<p>If you are curious then where all of these NXDOMAIN queries are coming from, all Pro, Business and Enterprise plan customers can scroll down a little bit further to the geography section where we show you the breakdown of where your queries come from and also where your queries returning NXDOMAIN come from.</p>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/dns-analytics-cloudflare-map-nxdomain.png" alt=""></p>

<p>If you are an Enterprise customer and want to dive in deeper just for one or a few names, you can filter down the entire dashboard by hostname. You can even filter the dashboard by names that don’t exist in your DNS records so you can explore traffic for misconfigured records resolvers are looking for that don’t exist.</p>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/filter.png" alt=""></p>

<p>Lastly, back up at the top, business and enterprise customers can see a breakdown of traffic by record type. If your domain has DNSSEC enabled, you’ll even see queries for DNSKEY records, meaning DNS resolvers that are DNSSEC-aware are asking Cloudflare for your DNSSEC keys to verify DNS records are untampered with.</p>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/dns-analytics-cloudflare-qtype.png" alt=""></p>

<p>If you like what you’re seeing and wish you could use the data to piece together your own dashboards? You can. We’ve developed a <a href="https://blog.cloudflare.com/grafana-plugin/">Grafana plugin</a> you can use to build your own dashboards and an API you can use to create your own tools. Plus the API gives you some added neat information like the distribution of queries over IPv6 vs IPv4 and UDP vs TCP, as well as the distribution of answers by query and response size. (DNS people rejoice -- now you can finally see if there’s a difference in query size between IPv6 and IPv4, and what is the breaking point where Cloudflare DNS answers switch from UDP to TCP.)</p>

<h2 id="whataboutdnsfirewallandcnamesetup">What about DNS Firewall and CNAME setup?</h2>

<p><a href="https://www.cloudflare.com/dns/dns-firewall/">DNS Firewall</a> customers, you’re next! Stay tuned! We have a really cool dashboard coming up for you that shows latency and errors on a per origin basis. We can’t wait for you to see it. In the meantime, you can see all your data through the <a href="https://blog.cloudflare.com/grafana-plugin/">Grafana plugin</a> and <a href="https://api.cloudflare.com/#virtual-dns-analytics-users--properties">API</a>.</p>

<p>If you use Cloudflare but don’t see traffic in the DNS analytics dashboard, it’s because you use Cloudflare through a CNAME setup where your DNS is hosted outside of Cloudflare. Your DNS isn’t on us, so we can’t give you cool DNS analytics. If you’re interested in moving your DNS over to Cloudflare to try out DNS analytics and the newly announced Cloudflare <a href="https://www.cloudflare.com/load-balancing/">Load Balancing</a>, <a href="https://support.cloudflare.com/hc/en-us/requests/new">give our team a holler</a>, they will swap your setup for you.</p>

<h2 id="letsgetstarted">Let’s get started!</h2>

<p>We are excited for you to get started digging into your DNS traffic. Let us know what you think by sending your feedback to dns-analytics-feedback@cloudflare.com. Cloudflare DNS team eagerly awaits your feedback :). Now go on vacation, we’ll look after your DNS!</p>]]></content:encoded></item><item><title><![CDATA[Introducing the new Cloudflare Community Forum]]></title><description><![CDATA[<p>Cloudflare’s community of users is vast. With more than 6 million domains registered, our users come in all shapes and sizes and are located all over the world.  They can also frequently be found hanging out all around the web, from <a href="https://twitter.com/search?f=tweets&amp;vertical=default&amp;q=cloudflare&amp;src=tyah">social media platforms</a>, to <a href="http://stackoverflow.com/search?q=cloudflare">Q&amp;A sites</a></p>]]></description><link>https://blog.cloudflare.com/cloudflare-community/</link><guid isPermaLink="false">4c600734-d152-4730-af48-776db17a5b59</guid><category><![CDATA[Community]]></category><category><![CDATA[Support]]></category><category><![CDATA[Feedback]]></category><dc:creator><![CDATA[Ryan Knight]]></dc:creator><pubDate>Wed, 03 May 2017 21:02:29 GMT</pubDate><media:content url="http://blog.cloudflare.com/content/images/2017/05/Screen-Shot-2017-05-05-at-2.28.57-PM.png" medium="image"/><content:encoded><![CDATA[<img src="http://blog.cloudflare.com/content/images/2017/05/Screen-Shot-2017-05-05-at-2.28.57-PM.png" alt="Introducing the new Cloudflare Community Forum"><p>Cloudflare’s community of users is vast. With more than 6 million domains registered, our users come in all shapes and sizes and are located all over the world.  They can also frequently be found hanging out all around the web, from <a href="https://twitter.com/search?f=tweets&amp;vertical=default&amp;q=cloudflare&amp;src=tyah">social media platforms</a>, to <a href="http://stackoverflow.com/search?q=cloudflare">Q&amp;A sites</a>, to any number of personal interest forums.  Cloudflare users  have questions to ask and an awful lot of expertise to share. </p>

<p>It’s with that in mind that we wanted to give Cloudflare users a more centralized location to gather, and to discuss all things Cloudflare.  So we have launched a new Cloudflare Community at <a href="https://community.cloudflare.com/">community.cloudflare.com</a>.</p>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/Screen-Shot-2017-05-01-at-1.09.27-PM.png" alt="Introducing the new Cloudflare Community Forum"></p>

<h3 id="whoisthiscommunityfor">Who is this community for?</h3>

<p>It's for anyone and everyone who uses Cloudflare.  Whether you are adding your first domain and don’t know what a name server is, or you are managing 1,000s of domains via API, or you are somewhere in between.  In the Cloudflare Community you will be able to find tips, tricks, troubleshooting guidance, and recommendations.  </p>

<p>We also think this will be a great way to get feedback from users on what’s working for them, what isn’t, and ways that we can make Cloudflare better.  There will even be opportunities to participate in early access programs for new and evolving features.  </p>

<h3 id="howdoiaccessit">How do I access it?</h3>

<p>Anyone can visit <a href="https://community.cloudflare.com/">community.cloudflare.com</a> and look around, soaking in all the information and expertise available, but in order to post questions or comments you must have a Cloudflare account.  We wanted to keep this forum focused on using and improving Cloudflare, and not about questions from people who visit sites that use Cloudflare services. When users visit the forum and try to sign-in for the first time they will go through the usual Cloudflare login process, but there will be an added step for email verification.  Once that is done users are good to go.</p>

<h3 id="howtousetheforum">How to use the forum</h3>

<p>We’ve started off with some broad categories like <a href="https://community.cloudflare.com/c/performance">Performance</a>, <a href="https://community.cloudflare.com/c/security">Security</a>, <a href="https://community.cloudflare.com/c/prodfeedback">Product Feedback</a>, etc., and created some tags to cover some of the more specific products and topics.  In time, we could expand to more dedicated categories around things like SSL or WAF, but we didn’t want to separate things off too much up front. There is also a <a href="https://community.cloudflare.com/c/meta">Meta</a> category where members can direct questions or suggestions about the Community. So, just put your topic in the area that you think is best, throw on a tag or two if necessary, and we’ll all figure this out together.  But don’t forget to search and see if someone’s already discussing it.</p>

<p>We aren’t degrading our presence on social media or other popular discussion sites.  But we are hopeful that having a centralized location will make it even easier for people who want to get together and discuss their Cloudflare experiences to find the conversations they are looking for.  So be sure to visit <a href="https://community.cloudflare.com/">community.cloudflare.com</a> and say hello! </p>]]></content:encoded></item><item><title><![CDATA[How eero mesh WiFi routers connect to the cloud]]></title><description><![CDATA[<p><em>This is a guest post by <a href="https://www.linkedin.com/in/gabekassel">Gabe Kassel</a>, Product Manager for Embedded Software at <a href="https://eero.com/">eero</a>.</em></p>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/414726-eero.jpg" alt=""></p>

<p>Relying on a single wireless router to provide internet in every room of the home is like expecting a single light bulb to illuminate the entire house. It’s physics - WiFi radio waves don’</p>]]></description><link>https://blog.cloudflare.com/eero-cloudflare/</link><guid isPermaLink="false">749410cb-e565-474e-86b8-f38ac8f0a5c3</guid><category><![CDATA[Guest Author]]></category><category><![CDATA[WiFi]]></category><dc:creator><![CDATA[Dani Grant]]></dc:creator><pubDate>Wed, 03 May 2017 14:10:00 GMT</pubDate><content:encoded><![CDATA[<p><em>This is a guest post by <a href="https://www.linkedin.com/in/gabekassel">Gabe Kassel</a>, Product Manager for Embedded Software at <a href="https://eero.com/">eero</a>.</em></p>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/414726-eero.jpg" alt=""></p>

<p>Relying on a single wireless router to provide internet in every room of the home is like expecting a single light bulb to illuminate the entire house. It’s physics - WiFi radio waves don’t travel through walls or objects easily. The <a href="https://eero.com/">eero Home WiFi System</a> is a new take on home connectivity, bucking the trend of one high-powered device in the center of the home. Instead, eero uses multiple access points that talk to each other via our proprietary mesh technology -- <a href="https://blog.eero.com/the-worlds-smartest-wifi-system-just-got-smarter-73888c4716e4#.othqlkrdz">TrueMesh</a> -- to spread coverage and a high throughput connection throughout a home. </p>

<p>eero’s hardware - its distributed access point system - solves the problem of spreading a consistent, stable WiFi signal in a home. But hardware is only part of the puzzle. On the backend of eero’s technology, we face different challenges: how do we build a highly available, high performance infrastructure that’s able to communicate with each eero device? We’ve discussed <a href="https://blog.eero.com/eero-at-scale-4636deef418c#.ua5ojuyej">parts of our architecture</a> previously, but we haven’t yet explored into how we use Cloudflare to eliminate one “single-point-of-failure” in our architecture.</p>

<h2 id="howeerosinteractwiththecloud">How eeros interact with the cloud</h2>

<p>eero devices are in near constant communication with our cloud. They send device diagnostic data to the cloud as well as data to support certain features in our mobile application. An example of this is when we added the ability for eero users to see real time data usage by device. While most products stream this data from a local server, both our user experience and security models rely on relaying that data through our cloud application to aggregate, analyze, and prevent direct local misuse from an unsecured web server. </p>

<p>In addition to streaming data to our cloud, eero devices need to continuously understand whether they have access to the internet. This specific architecture resulted in some special thinking. </p>

<p>First, we needed to ensure eero devices had a secondary source of truth (other than our cloud) to check if they could reach the internet. We originally thought about checking common resources like google.com and twitter.com, however we felt that had negative privacy implications since we didn’t own both sides of that request and connection.  We wanted to prevent third-party sites from counting or analyzing eero installations to preserve privacy. </p>

<p>Second, we wanted to make sure that this secondary check was truly “out of band” of our current cloud infrastructure. Since the internet itself is highly distributed, we needed a service that mimicked that and was resilient to swaths of the internet being unreachable.</p>

<h2 id="whatcloudflareallowsustodo">What Cloudflare allows us to do</h2>

<p>Enter Cloudflare. Cloudflare provides CDN, security, and high availability, all in one tool. By storing a small file in Amazon S3, with Cloudflare at that domain, we’re able to serve a secondary internet check to hundreds of thousands of devices. Regardless of whether that connection can reach Amazon S3 and regardless of the health of the internet at-large, we have confidence Cloudflare will deliver the file.</p>

<p>We’re essentially using Cloudflare as a cloud canary. Since Cloudflare exposes a robust API, we’re able to track eero requests to this secondary internet check to create alerts when eeros are not able to resolve our cloud. And, as a bonus, since the file is 99.97% of the time served from Cloudflare’s edge, we can serve hundreds of gigabytes of the same tiny file and not spend anything with S3 to do it.</p>

<p>Cloudflare enables eero to provide an “out of band,” high availability, and low cost method to test internet availability from every eero device. We’re excited to help Cloudflare think about the specific needs of Internet of Things products, and continue to build out features that support scale across millions of devices. To learn more about how eero is solving connectivity in the home visit us at <a href="https://eero.com/">www.eero.com</a>.</p>]]></content:encoded></item><item><title><![CDATA[IoT Security Anti-Patterns]]></title><description><![CDATA[<p>From security cameras to traffic lights, an increasing amount of appliances we interact with on a daily basis are internet connected. A device can be considered IoT-enabled when the functionality offered by its Embedded System is exposed through an internet connected API.</p>

<p>Internet-of-Things technologies inherit many attack vectors that appear</p>]]></description><link>https://blog.cloudflare.com/iot-security-anti-patterns/</link><guid isPermaLink="false">89836bc3-6d29-4557-a3f0-18280831d691</guid><category><![CDATA[IoT]]></category><category><![CDATA[API]]></category><category><![CDATA[Security]]></category><category><![CDATA[TLS]]></category><category><![CDATA[SSL/TLS]]></category><dc:creator><![CDATA[Junade Ali]]></dc:creator><pubDate>Tue, 02 May 2017 13:00:00 GMT</pubDate><media:content url="http://blog.cloudflare.com/content/images/2017/05/ATmega8_01_Pengo.jpg" medium="image"/><content:encoded><![CDATA[<img src="http://blog.cloudflare.com/content/images/2017/05/ATmega8_01_Pengo.jpg" alt="IoT Security Anti-Patterns"><p>From security cameras to traffic lights, an increasing amount of appliances we interact with on a daily basis are internet connected. A device can be considered IoT-enabled when the functionality offered by its Embedded System is exposed through an internet connected API.</p>

<p>Internet-of-Things technologies inherit many attack vectors that appear in other internet connected devices, however the low-powered hardware-centric nature of embedded systems presents them with unique security threats. Engineers building Internet-of-Things devices must take additional precautions to ensure they do not implement security anti-patterns when addressing new problems, this blog post will investigate four such anti-patterns that have been used by real Internet-of-Things devices.</p>

<p><img src="https://blog.cloudflare.com/content/images/2017/03/ATmega8_01_Pengo.jpg" alt="IoT Security Anti-Patterns" title=""><em>Atmel ATMEGA8 Microcontroller <a href="https://en.wikipedia.org/wiki/Atmel_AVR#/media/File:ATmega8_01_Pengo.jpg">Wikimedia Commons</a> - CC BY-SA 3.0</em></p>

<p><strong>HTTP Pub/Sub</strong>
<br>Every time your IoT-enabled alarm clock sounds, you may want it to tell your coffee machine to brew some coffee. In order to do this, your coffee machine may subscribe to messages published by your alarm clock. One such way of doing this is to implement the Publish/Subscribe Pattern within the API of the IoT devices, for this example let's assume our alarm clock and coffee machine communicate through HTTP.</p>

<p>In order to subscribe to messages from the alarm clock, the coffee machine sends a HTTP POST request to <code>https://alarmclock/publish</code> with the following body:</p>

<pre><code class="language-json">{  
   "on":"alarmSound",
   "to":"https:\/\/coffeemachine\/subscribe"
}
</code></pre>

<p>This JSON request instructs the alarm clock on every “alarmSound” event to send a HTTP request to the coffee machine. Whilst this may seem a simple and effective way of implementing the Pub/Sub pattern in HTTP, this poses a significant security risk.</p>

<p>By not being able to validate if the receiver of the subscribed message wants the message or not, there is effectively a DDOS vulnerability. An attacker with the ability to set subscriptions on the alarm clock can effectively send HTTP messages to any device or internet property they want. If this is done across enough devices, a DDOS vulnerability is created.</p>

<p>Toast popping out of a toaster or a car driving across a road traffic sensor could be the trigger of a future large scale DDOS against a web property.</p>

<p>For further reading, the limitation of Pub/Sub patterns in IoT within the context of the MQTT protocol are discussed in: <a href="http://ieeexplore.ieee.org/document/7872916/">Limitations of the Pub/Sub pattern for cloud based IoT and their implications</a> - Happ, D. and Wolisz, A. (2016).</p>

<p><strong>IoT Device as TLS Server</strong>
<br>As the embedded systems which power IoT devices have gained additional computational resources, more and more IoT developers have chosen to implement TLS to secure communications. Additionally cryptography libraries such as wolfSSL and mbedTLS, better suited to the performance requirements for embedded systems, have removed many of the engineering and performance complexities of adding TLS support to embedded systems.</p>

<p>One anti-pattern in implementing TLS on IoT devices is running devices themselves as web servers and using self-signed server-side certificates to encrypt such requests. Aside from the performance overhead of running web servers on embedded systems, they also pose a severe security risk by failing to maintain trust relationships. </p>

<p>In place of this; IoT devices can communicate through brokers; such brokers can act as web servers with a signed TLS certificates installed server-side which can be authenticated with devices using the X.509 standard. This can be done effectively by simply using the HTTP protocol. Like other kinds of message brokers, they will receive messages, perform validation, transformation and routing before sending them on by recipients.</p>

<p>Protocols like CoAP are specifically designed for brokerless Machine-to-Machine communication in low power environments, in its current form CoAP uses DTLS (RFC 4347) which supports pre-shared keys, raw public keys and X.509 certificate authentication.</p>

<p><strong>Unencrypted Bootloader</strong>
<br>Far from being in a datacenter, IoT devices can be left in insecure environments - as such extra precautions need to be taken to protect the memory on such a device. </p>

<p>Take the example of an IoT traffic counting device, installed in a locked cabinet at a roadside. A malicious adversary can break into the cabinet and steal the device with physical force. With the device in their possession they can extract software from the embedded system chip on the device to obtain the software running on it. By reverse engineering this software they can learn secrets in the memory of the onboard microcontroller.</p>

<p>When IoT devices can contain sensitive data in memory, locking them away may not always be sufficient. One solution to this problem is to encrypt the bootloaders on such devices - this provides a degree of cryptographic assurance that the secrets on the device will remain secret.</p>

<p><img src="https://blog.cloudflare.com/content/images/2017/03/Screen-Shot-2017-03-14-at-23.01.56.png" alt="IoT Security Anti-Patterns" title=""> <em>Documentation from <a href="http://www.atmel.com/images/doc2589.pdf">Atmel AVR231: AES Bootloader</a></em></p>

<p>There exists dedicated integrated Controller chips that allow for Hardware-based Key Storage at low cost; these chips can be used to prevent cloning and tampering of Embedded Systems. Examples include Atmel’s CryptoAuthentication chips and Microchip’s PIC24F GB2 microcontroller. </p>

<p>Other precautions should of course be taken, ensuring that keys are unique to a device and that revocation systems are in place, should keys be disclosed for whatever reason.</p>

<p>It is not merely enough to leave your secrets unencrypted on an embedded system in the hope no one will attempt to reverse engineer it. Taking appropriate security steps for the secrets your IoT device will store is vital.</p>

<p><strong>Database-as-IPC</strong>
<br>Instead of communicating over an abstract protocol like HTTP, developers may choose to use shortcuts by simply directly connecting to a database server to push data. Aside from being making permissions control harder, this opens up performance difficulties.</p>

<p>Lock contention is one such issue, when running UPDATE queries on rows other devices will end up waiting for locks on the database to be released before other queries can be done. Additionally, polling databases for changes can lead to IoT brokers becoming easily overloaded.</p>

<p>This Anti-Pattern can be mitigated by using a message broker service, exposed by a HTTP API. REST APIs are easier to cache, easier to scale and allow you to vary your database implementation independently of your API.</p>

<p>No matter how closed you think the usage of your IoT API is, take pride in it and seek to make it resilient to the forces of change later on. Abstracting your database away from your devices allows you to introduce a greater degree of security and also prevents other architectural headaches later on.</p>

<p><strong>Conclusion</strong>
<br>As the technology that powers the internet matures, so will the attacks it faces. IoT devices are set to see a unique set of security vulnerabilities, different to the set seen by other internet connected devices. As more IoT devices start to be unveiled, new security challenges will also unfold.</p>]]></content:encoded></item><item><title><![CDATA[Introducing TLS with Client Authentication]]></title><description><![CDATA[<p><img src="https://blog.cloudflare.com/content/images/2017/05/IOT_v3.1-1.png" alt=""></p>

<p>In a traditional TLS handshake, the client authenticates the server, and the server doesn’t know too much about the client. However, starting now, Cloudflare is offering enterprise customers TLS with client authentication, meaning that the server additionally authenticates that the client connecting to it is authorized to connect.</p>

<p>TLS</p>]]></description><link>https://blog.cloudflare.com/introducing-tls-client-auth/</link><guid isPermaLink="false">bf04e92f-aed6-4165-af80-55802dc80b62</guid><category><![CDATA[IoT]]></category><category><![CDATA[Security]]></category><category><![CDATA[Reliability]]></category><category><![CDATA[SSL/TLS]]></category><category><![CDATA[TLS]]></category><category><![CDATA[API]]></category><category><![CDATA[PKI]]></category><dc:creator><![CDATA[Dani Grant]]></dc:creator><pubDate>Mon, 01 May 2017 15:58:01 GMT</pubDate><content:encoded><![CDATA[<p><img src="https://blog.cloudflare.com/content/images/2017/05/IOT_v3.1-1.png" alt=""></p>

<p>In a traditional TLS handshake, the client authenticates the server, and the server doesn’t know too much about the client. However, starting now, Cloudflare is offering enterprise customers TLS with client authentication, meaning that the server additionally authenticates that the client connecting to it is authorized to connect.</p>

<p>TLS Client Authentication is useful in cases where a server is keeping track of hundreds of thousands or millions of clients, as in IoT, or in a mobile app with millions of installs exchanging secure information. For example, an IoT company can issue a unique client certificate per device, and then limit connections to their IoT infrastructure to only their devices by blocking connections where the client doesn’t present a certificate signed by the company’s certificate authority. </p>

<p>Or in the case of a mobile banking app, where the bank wants to ensure customers’ secure financial data doesn’t get stolen by bots spoofing their mobile app, they can issue a unique certificate to every app install and in the TLS handshake validate requests are coming from their mobile app. Client authentication is also useful for VPNs, enterprise networks or staging sites, where corporations and developers need to lock down connections to only laptops and phones owned by their employees and teammates.</p>

<p>You may be thinking - don’t we have API keys for that? But client certificates offer a layer of security that API keys cannot provide. If an API key gets compromised mid-connection, it can be reused to fire its own valid, trusted requests to the backend infrastructure. However, the private key of the client certificate is used to create a digital signature in every TLS connection, and so even if the certificate is sniffed mid-connection, new requests can’t be instantiated with it.</p>

<h2 id="handshakeswithtlsclientauth">Handshakes With TLS Client Auth</h2>

<p>In a handshake with TLS Client Authentication, the server expects the client to present a certificate, and sends the client a client certificate request with the server hello. Then in the key exchange in the next trip to the server, the client also sends its client certificate. The client certificate is then used to sign the TLS handshake and the digital signature is sent to the server for verification. You can see the whole handshake here:</p>

<p><img src="https://blog.cloudflare.com/content/images/2017/05/illustration-tls-ssl-client-auth.png" alt=""></p>

<h2 id="tlsclientauthenticationontheedge">TLS Client Authentication On The Edge</h2>

<p>TLS Client Authentication can be CPU intensive to implement - it’s an additional cryptographic operation on every request. And if there’s a flood of invalid traffic, each request in that traffic flood kicks off a verification step. Companies can move the TLS client authentication to Cloudflare’s edge to offload the expensive verification.</p>

<p>If we are performing TLS Client Authentication for a company, the company sends us the root certificate(s) we should validate the client certificates against. Then the company can set TLS Client Authentication to one of two modes: enforce mode returns a 403 and optional custom JSON or HTML when the client certificate is invalid, and report mode forwards all requests to the origin, even if the certificate is invalid. Cloudflare will send a header including the status of the certificate (none, valid, invalid) and the certificate Subject Key Identifier (SKI) to the origin. For companies that use the client certificate for identification, Cloudflare can also forward any field of the client certificate as a custom header.</p>

<p>We have TLS Client Auth set up on a test domain for you to try, at auth.pizza.</p>

<p>If you curl auth.pizza, you’ll get back a 403 and a custom JSON error, telling you that you are not authorized.</p>

<pre><code>curl https://auth.pizza -H 'Accept: application/json'  
</code></pre>

<p>However, if you download this certificate: <a href="https://support.cloudflare.com/hc/en-us/article_attachments/115000275371/pizza.pem">pizza.pem</a> and curl the domain again using that certificate, you will be authenticated.</p>

<pre><code>curl https://auth.pizza -H 'Accept: application/json' --cert pizza.pem  
</code></pre>

<p>Note that this demo is on the full domain, auth.pizza, but you can also set client auth on a subdomain, such as client.auth.pizza.</p>

<h2 id="getstarted">Get Started</h2>

<p>To use TLS client authentication, you must first set up PKI (Public Key Infrastructure) infrastructure to issue client certificates. If you are interested in running TLS client authentication but don’t have PKI infrastructure set up to issue client certificates, we have <a href="https://github.com/cloudflare/cfssl">open sourced our PKI</a> for you to use. Here is great documentation by our friends at CoreOS on <a href="https://coreos.com/os/docs/latest/generate-self-signed-certificates.html">how to use cfssl to issue client certificates</a>. If you prefer not to run your own CA and rely on an established certificate authority, we have partnered with a few certificate authorities who can provide the client certificates for you.</p>

<p>If you are an enterprise customer and would like to get started using TLS client authentication with Cloudflare, reach out to your account team and we’ll help you get setup. If you are not yet an enterprise customer but are interested in trying out TLS client authentication, <a href="https://www.cloudflare.com/plans/enterprise/contact/">get in touch</a>. </p>

<p>Within the next year, we’ll be adding TLS client authentication support for all Cloudflare plans. After all, using encryption to make the web more trusted is what we’re about. Stay tuned. </p>]]></content:encoded></item><item><title><![CDATA[Upcoming Cloudflare events: Berlin May 5-7, Austin & Portland May 11]]></title><description><![CDATA[Attending JS Conf, CSS Conf, or OSCON? Live in Berlin or Austin or Portland? Come over and join Cloudflare devs in the area at our upcoming events.]]></description><link>https://blog.cloudflare.com/upcoming-cloudflare-events-in-berlin-may-5-7-and-austin-5-11/</link><guid isPermaLink="false">f8874847-c1ad-4e5a-b99a-ee26b533be44</guid><category><![CDATA[Austin]]></category><category><![CDATA[Events]]></category><dc:creator><![CDATA[Jade Q. Wang]]></dc:creator><pubDate>Fri, 28 Apr 2017 00:40:00 GMT</pubDate><media:content url="http://blog.cloudflare.com/content/images/2017/04/21642453308_fe163b9f32_h.jpg" medium="image"/><content:encoded><![CDATA[<img src="http://blog.cloudflare.com/content/images/2017/04/21642453308_fe163b9f32_h.jpg" alt="Upcoming Cloudflare events: Berlin May 5-7, Austin & Portland May 11"><p>Attending <a href="https://2017.jsconf.eu">JS Conf EU</a>, <a href="https://2017.cssconf.eu/">CSS Conf</a>, or <a href="https://conferences.oreilly.com/oscon/oscon-tx">OSCON</a> in the next couple of weeks? Live in Berlin or Austin or Portland? Come over and join Cloudflare devs in the area at our upcoming events.</p>

<p><img src="https://blog.cloudflare.com/content/images/2017/04/21826255102_49855c7fd6_k.jpg" alt="Upcoming Cloudflare events: Berlin May 5-7, Austin & Portland May 11">
<small>JS Conf EU 2016. <a href="https://www.flickr.com/photos/blank22763/sets/72157659234990616">Photo</a> by <a href="https://twitter.com/hblank">Holger Blank</a>.</small></p>

<h2 id="inberlinattendingjsconfeuorcssconfeu">In Berlin? Attending JS Conf EU or CSS Conf EU?</h2>

<p>If you’re at JS Conf EU (May 6-7) or CSS Conf EU (May 5):</p>

<ul>
<li>Be sure to make it to John Fawcett’s session, “<a href="http://2017.jsconf.eu/speakers/john-fawcett-Invisible-code-building-javascript-libraries-for-non-technical-people.html">Invisible Code: Building JavaScript Libraries For Non-Technical People.</a>”</li>
<li>Made a <a href="https://www.cloudflare.com/apps/">Cloudflare App</a>? Drop by the Cloudflare Hacker Lounge to show me and I have a special gift for you.</li>
<li>Started working on a Cloudflare App and have questions? Drop by the Cloudflare Hacker Lounge and get them answered.</li>
</ul>

<p>Just happen to be in Berlin? Tweet <a href="https://twitter.com/qiqing">@qiqing</a> and <a href="https://twitter.com/icyapril">@IcyApril</a> to come hang out with us in person.</p>

<p><img src="https://blog.cloudflare.com/content/images/2017/04/appstore_preview.png" alt="Upcoming Cloudflare events: Berlin May 5-7, Austin & Portland May 11">
<small>Cloudflare Apps Preview. Visualize <em>your app</em> here. </small></p>

<h2 id="inaustinattendingoscon">In Austin? Attending OSCON?</h2>

<p>Join the core developers of <a href="https://www.cloudflare.com/apps/">Cloudflare Apps</a> for the <a href="https://www.meetup.com/Cloudflare-Austin/">inaugural Cloudflare meetup in Austin</a>. It will feature an introduction by Zack Bloom (tech lead) to the new Cloudflare Apps including details of how apps get created, moderated, installed, and served to millions of users all over the world.</p>

<p><strong>Bring your laptops!</strong></p>

<p>What: Zack Bloom: “How to make a Cloudflare App: Developer Preview” <br>
Where: <a href="https://capitalfactory.com/">Capital Factory</a>, 701 Brazos St Ste 1601, Austin, TX <br>
When: Thursday, May 11, 2017; 6:00 PM to 9:00 PM</p>

<p><a href="https://www.meetup.com/Cloudflare-Austin/events/239023804/">RSVP on meetup.com >></a></p>

<p>Core devs will be on-hand to help answer questions and serve as teaching assistants. T-shirts and dinner for every attendee. Special goodies for everyone who makes and tests an app. </p>

<p><a href="https://www.meetup.com/Cloudflare-Austin/events/239023804/"><img src="https://blog.cloudflare.com/content/images/2017/04/Graphic-for-Austin-Event_digital-01.png" alt="Upcoming Cloudflare events: Berlin May 5-7, Austin & Portland May 11" title=""></a></p>

<h2 id="portlandpdxnodepresentationnight">Portland: PDXnode Presentation Night</h2>

<p>Eric Teffen Ellis (core dev) will be live-coding a Cloudflare App, followed by Q&amp;A. Bring your laptops! New coders and new friends welcome. Say hi, make noise, and ask questions.</p>

<p>What: Eric Teffen Ellis: “Building apps for the web with Cloudflare.” <br>
Where: <a href="https://www.google.com/maps?f=q&amp;hl=en&amp;q=926+NW+13th+Ave+%23200,+Portland,+OR,+us">Vacasa</a>, 926 NW 13th Ave #200, Portland, OR <br>
When: Thursday, May 11, 2017; 6:00 PM to 9:00 PM</p>

<p><a href="https://www.meetup.com/pdxnode/events/238627172/">RSVP for PDX Node on meetup.com >></a></p>

<p>T-shirts and pizza for everyone.</p>

<h2 id="wherenext">Where next?</h2>

<p>Want to host a Cloudflare event? Want to request a speaker to teach Cloudflare Apps to your group? Drop a line to <a href="mailto:community@cloudflare.com">community@cloudflare.com</a>.</p>]]></content:encoded></item><item><title><![CDATA[Introducing Cloudflare Orbit: A Private Network for IoT Devices]]></title><description><![CDATA[<p><img src="https://blog.cloudflare.com/content/images/2017/04/orbit-1.png" alt=""></p>

<p>In October, we <a href="https://blog.cloudflare.com/say-cheese-a-snapshot-of-the-massive-ddos-attacks-coming-from-iot-cameras/">wrote about a 1.75M rps DDoS attack</a> we mitigated on our network, launched by 52,467 unique IP’s, mostly hacked CCTV cameras. </p>

<p>We continued to see more IoT devices in DDoS attacks, and so we started to put together a security solution to protect the</p>]]></description><link>https://blog.cloudflare.com/orbit/</link><guid isPermaLink="false">950d039a-6124-4f6f-ba4a-9c20d6e90c49</guid><category><![CDATA[Orbit]]></category><category><![CDATA[Security]]></category><category><![CDATA[DDoS]]></category><category><![CDATA[IoT]]></category><category><![CDATA[Product News]]></category><dc:creator><![CDATA[Dani Grant]]></dc:creator><pubDate>Thu, 27 Apr 2017 13:00:01 GMT</pubDate><content:encoded><![CDATA[<p><img src="https://blog.cloudflare.com/content/images/2017/04/orbit-1.png" alt=""></p>

<p>In October, we <a href="https://blog.cloudflare.com/say-cheese-a-snapshot-of-the-massive-ddos-attacks-coming-from-iot-cameras/">wrote about a 1.75M rps DDoS attack</a> we mitigated on our network, launched by 52,467 unique IP’s, mostly hacked CCTV cameras. </p>

<p>We continued to see more IoT devices in DDoS attacks, and so we started to put together a security solution to protect the devices from becoming part of the botnet in the first place. Today we’re announcing it: Cloudflare Orbit.</p>

<h2 id="pcerasecuritydoesntworkinioteracomputing">PC-era security doesn’t work in IoT-era computing</h2>

<p>As we talked to IoT companies, over and over again we heard the same thing. In the consumer electronics space, IoT manufacturers were telling us that they were shipping patches to their devices, but their end users didn’t always download and install them. (Reserve your judgment, how many times have you pressed ignore when your phone asked you to update its operating system?) In the industrial control, medical and automotive spaces, where devices are used in life-critical functions, we heard a different story. Even if someone wanted to apply a patch, it just wasn’t that easy. For example, even if the manager of a nuclear power plant wants to update software on their thermostats, shutting down operations long enough to do that means the update has to be scheduled. </p>

<p>This is if the device can be patched at all - most devices are patchable, but up to a point. When <a href="https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/">Jeep was shown to be vulnerable</a> to remote code execution, Chrysler had to <a href="https://www.wired.com/2015/07/jeep-hack-chrysler-recalls-1-4m-vehicles-bug-fix/">recall 1.4 million</a> vehicles.</p>

<p>This model where the end user is responsible for the security of the overall device is a relic of the PC age, where users knew and understood that their computers could have vulnerabilities, and as their software vendors released patches ––on so called “Patch Tuesdays,” for example––users knew to go and download them.</p>

<p>PC security does not work for IoT. Consumers do not share that similar understanding that they need to update their toasters, lightbulbs and cars, because they’ve never needed to in the past. And since we will never write perfect code, we <a href="http://www.economist.com/news/science-and-technology/21720268-consequences-pile-up-things-are-starting-improve-computer-security">need a better way of securing devices</a> without waiting for users to do it for us.</p>

<h2 id="introducingorbit">Introducing Orbit</h2>

<p>Thinking about this challenge, we were reminded of when the ShellShock vulnerability was discovered, Cloudflare was able to <a href="https://blog.cloudflare.com/shellshock-protection-enabled-for-all-customers/">automatically keep the requests</a> that would trigger the vulnerability from reaching our customers. With Orbit, Cloudflare can do the same thing, only for devices. For example, when Jeep was shown to be vulnerable, instead of recalling 1.4 million vehicles, Fiat Chrysler could have patched the bug in all the vehicles with just a simple rule in Cloudflare's firewall restricting access to the vulnerable DBUS service listening on port 6667 of every Jeep.</p>

<p>Orbit sits one layer before the device and provides a shield of security, so even if the device is running past its operating system’s expiration date, Cloudflare protects it from exploits. And while devices may be seldom patched, the Cloudflare security team is shipping code every day, adding new firewall rules to Cloudflare’s edge. Think of it like changing IoT to I*oT — devices can still access the Internet, but only after passing through Cloudflare where malicious requests can be filtered.</p>

<p>For the last year, Cloudflare has been working with a number of IoT vendors to develop Orbit. Already more than 120 million IoT devices are safer behind Cloudflare’s network. <a href="https://lockitron.com/">Lockitron</a> is one of the IoT companies using Cloudflare. “Keeping our products and customers secure is our primary concern,” says Paul Gerhardt, co-founder of Lockitron. “Cloudflare provides an extra layer of security that allows us to keep our devices continually updated and ahead of any vulnerabilities.”  </p>

<p>Instead of writing and shipping a patch, IoT companies can write logic on Cloudflare’s edge, and write their own firewall rules to run on Cloudflare, and it updates the Cloudflare Orbit layer immediately, for all of their devices, without their users ever being so much as nudged to install something.</p>

<p>Plus, with requests going through Cloudflare, Cloudflare can compress transmitted data and speed up traffic, meaning less time is spent waiting on open connections and more time left in battery.</p>

<h2 id="anextralayerofauthentication">An Extra Layer of Authentication</h2>

<p>A common challenge we heard from IoT device manufacturers was how to authenticate devices and know which connecting clients were authorized company devices, and which were bots only pretending to be. Starting today, Cloudflare now offers Enterprise domains <a href="https://support.cloudflare.com/hc/en-us/articles/115000088491">TLS Client Authentication</a>, a TLS handshake where the client authenticates the server’s certificate (as with any TLS handshake) and also the client has a certificate that the server authenticates.  </p>

<p>Some IoT vendors already implement their own Client Authentication, but do so at the same origin servers that handle the rest of their IoT infrastructure. Not only is this computationally expensive, but any invalid traffic flood causes a burden on the whole server. </p>

<p>With Client Authentication on Cloudflare, Cloudflare’s edge handles the load of the TLS handshakes, validating the device client certificates and only sending the IoT infrastructure traffic from authorized devices.</p>

<h2 id="whatpeoplearesaying">What People Are Saying</h2>

<p>“This approach of adding security to the network is extremely important for industrial manufacturers. Being able to patch vulnerabilities from the network rather than at the device level is a major shift in the way we secure IoT devices, and one that is completely necessary.”  — Sam Cece, CEO of <a href="https://www.swiftsensors.com/">Swift Sensors</a>, an industrial IoT company.</p>

<p>“Car controllers are IoT devices. Karamba Security hardens these devices and prevents cyberattacks with zero false positives to maintain driver and passenger safety. We view Cloudflare’s Orbit as a complementary solution that enables secure connectivity between the cars’ hardened controllers and the car company’s data center for trusted, over-the-air updates.” — Ami Dotan, CEO of <a href="https://www.karambasecurity.com/">Karamba Security</a>, which is building secure platforms for smart automobiles.</p>

<p>“We are at the beginning of a new era in which a vast number of devices will be connecting to the Internet and security will play a critical role in the successful roll-out and adoption of IoT devices. Cloudflare’s Orbit adds another layer of defense that compliments other security measures such as strong hardware-based device security and helps ensure a safer Internet of Things." — Quinn Li, VP and global head of <a href="https://www.qualcommventures.com/">Qualcomm Ventures</a>, the investment arm of Qualcomm Incorporated, the leading supplier of components for IoT devices.</p>

<p>"IoT devices create a distinct security challenge both because of the inability of most end users to update their software, as well as the cost that manufacturers bear if they release an update that bricks devices. This is even worse for legacy devices, many of which are effectively unpatchable.  Cloudflare's Orbit provides a unique approach to help with these challenges, by deploying a defensive layer in the network where security updates can be safely made without end-user intervention or on-device changes."  — Michael Freedman, professor of computer science at Princeton University and CTO of <a href="http://www.timescale.com/">Timescale</a>.</p>

<p><img src="https://blog.cloudflare.com/content/images/2017/04/IoT-Illustration-infographic.jpg" alt=""></p>

<h2 id="getstarted">Get Started</h2>

<p>Orbit is available now to all IoT device companies. To learn more or get started, <a href="https://www.cloudflare.com/orbit/">visit the site</a>, or <a href="https://www.cloudflare.com/plans/enterprise/contact/">get in touch</a>. We’re excited to hear from you. </p>]]></content:encoded></item></channel></rss>